At SAP SuccessFactors, we have the pulse on shifting regulatory frameworks, and are committed to helping our customers comply with current regulations as well as what we anticipate future regulations will be.
SAP customers can be assured that we already log incidents and provide supporting data in case of a confirmed personal data breach. Our strict security policies already reflect requirements introduced in GDPR and have been in place for some time. We will continue to invest in state of the art security measures and constantly improve these to best protect customer data entrusted to SAP.
In the overall context of appropriate technical and organizational measures required under Art. 32 GDPR, sensitive data requires a high standard of protection. Customers have various means available to ensure a level of security appropriate to the risk. Here are some examples:
Data Minimization– Customers need to ensure that personal data and sensitive data is only collected and stored if absolutely required. In many cases, sensitive personal data requires a valid consent from the person concerned. As part of overall compliance efforts, customers should review whether sensitive data previously collected is still permitted to be stored and processed under GDPR.
Role Based Permission (RBP) – Customers can and should implement strict RBP concepts to limit the number of persons who can access sensitive data fields. It is generally advisable to limit access to those who have an absolute need to view such data.
Data Masking– To further protect sensitive data, customers can mask data to avoid read access by unauthorized personnel. Accordingly, they would not be able to read such data as clear text.
Change Access Logging – Customers can track and report on changes made to data they deem to be sensitive.
SAP SuccessFactors Data Protection and Privacy (DPP) strategy includes many new features in support of GDPR today while also putting stronger safeguards in place to help prepare for future regulatory changes. Customers should routinely evaluate the usage of all technical features as well as their organizational processes related to DPP in the context of their business needs.