cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GDPR compliance with SAP GRC

former_member91276
Active Participant

on ‎2021 Jun 06 7:30 AM

0 Kudos
545

Hi All,

i have read numerous articles on GDPR compliance through GRC PC Controls, assessments and Policies. But could not find any which says about which assessment need to be applied.

My understanding is that Manual Control Performance can be used to certify if backend SAP systems have any violation in complying with GDPR.

And then ToE can be used to verify if the control passed or Failed.

please suggest if the above idea can fit GDPR check through SAP PC.

Also, please suggest if Risk Management and Automated monitoring can be used with configurable examples

Regards

Plaban

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
former_member91276
Active Participant
‎2021 Jun 08 2:12 PM
0 Kudos

Hi All,

Awaiting your inputs, please

Regards

Plaban

Accepted Solutions (0)

Answers (1)

Answers (1)

madhusap
Active Contributor
‎2021 Jun 10 10:19 PM
0 Kudos

Hi Plaban,

GDPR a data privacy regulation and as a first step you have to first identify what personal data is processed in SAP and who has access to it? Once you have this information, the next steps are to assess the controls that are required (Access/Process) to comply with GDPR clauses. Few examples are below:

  • Create and Distribute data protection impact assessments (DPIA), Process Assessments, raising issues if any gaps are identified or based on the assessment scores
  • Associate GDPR requirements with internal controls over data protection in a central repository. These controls can be Automated or Manual.
  1. Find users having access to personal data
  2. Restrict access to personal data (by using masking, recording the view access also to selected data fields etc.)
  3. Manage personal data lifecycle
  4. Monitor personal data access by administrators (e.g. Viewing Salary data, Blacklist records, Health records etc.)
  • Manage GDPR-related policies including approval, distribution, acceptance, and reporting (using Policy Management)
  • Provide the DPO and stakeholders with real-time reporting on the status of GDPR compliance

Regards,

Madhu

Show replies
Show replies
former_member91276
Active Participant
‎2021 Jun 11 12:05 PM
0 Kudos

Hi Madhu,

Thanks for your reply.

Yes i am aware about the scoping. Eg. Personnel, Customer, Bank or Vendor Master data . But i am unaware of DPIA, i.e which type of Manual assessments can cater to DPIA. I believe MCP can. And if so, what are the next steps after MCP.

Can you suggest or suggest any reference/link on the controls for DPIA

Regards

Plaban

Ask a Question