General Data Protection Regulation
Compliance fast and pragmatic
With the publication of the final version of GDPR (General Data Protection Regulation), the European Union has created a legally binding, uniform set of rules for the protection of personal data and data misuse after long-lasting political debates. This applies to all companies operating within the European Union since 25 May 2018.
It is urgent to take the necessary measures to achieve GDPR compliance by this date, and, in particular, the IT department needs to carry out a wide range of activities.
Many new regulations become effective with GDPR. The following is a summary of some of the most important ones:
- Fines: Infringements of the GDPR Guidelines can lead to considerable damage to the affected company, both in terms of reputation and public opinion, as well as economically by the stipulated Draconian maximum penalties. In the maximum case, GDPR imposes penalties of up to € 20 million or 4% of the company’s worldwide annual turnover, e.g. in the case of inadequate processes for obtaining consent to data processing or in the case of serious breaches of privacy by design principles.
- Reporting: Data protection violations must be reported within 72 hours after knowledge.
- Rights of stakeholders: New rights for data erasure and data transferability.
- Data processing: Companies must “take appropriate technical and organizational measures” to protect personal data. These measures must be constantly reviewed and updated.
- Data Protection Impact Assessment: Companies are required to conduct a data protection impact assessment if it appears likely that the processing will result in high risks to privacy.
- Privacy by Design: “Customer shall implement appropriate technical and organizational measures to meet the requirements of this Regulation and to protect the rights of the persons concerned.” Article 23 requires taxpayers to keep and process data (data minimization) which is strictly necessary for the performance of their tasks, as well as to limit access to personal data to those who are required to carry out the processing.
Documentation obligation according to Article 30 GDPR: Controller are obliged to create and maintain, in writing or electronically, lists of all the following: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
In addition, many of the already existing regulations remain in a similar or complementary form.
These requirements present enormous challenges for management, departments and IT organizations. On the one hand, increasingly complex IT landscapes with heterogeneous systems and an increasing number of interfaces are not very transparent and thus frequently a gray zone regarding data processing. On the other hand, companies often lack the legal expertise to translate data protection laws into IT requirements.
CTI supports you, together with a legal expert, in the preparation of a tailor-made catalog of the information to be documented and of the measures to be taken. We are guided by the following checklist:
Architecture Management as professional basis
With our proven architecture know-how, we support you regarding the documentation and analysis of your application portfolio, the processing of data through applications and in business processes and the exchange of data between applications as well as with third parties via interfaces.
To speed up data collection, we use tools such as the CTI Landscape Analyzer for SAP Solutions, which allows you to read entire SAP landscapes together with interfaces (RFC, ALE, SAP PI / PO), data exchange relations and module usage. This makes the GDPR-relevant SAP systems transparent without complex interviews. The non-SAP landscape can be complemented by web-based questionnaires or workshops. In this way, the collection of the GDPR-relevant architectural data is precisely, valid and the effort is significantly reduced.
Beyond the actual intake, we are developing a roadmap together with you to remove weak points and risks in the current actual development. We would be pleased to advise you, for example, in the establishment of a central data management system within the company.
Furthermore, you benefit from our proven SAP knowledge, e.g. in the use of middleware systems (e.g. SAP PI / PO) or in the introduction of digital file solutions (e.g. digital personal files).