Posted: 10 Sep. 2024 2 min Lukuaika

Get to know your SAP and S/4HANA data

Cybersecurity and Privacy Matter in S/4HANA Projects

This blog is part of our Nordic blog series, ” Why cybersecurity and privacy matter in S/4HANA projects”. Explore other blog posts from this series here:
Part 1 - Setting the scene
Part 2 - Know your data
Part 3 - Ownership & governance
Part 4 - Access management & available tools
Part 5 - Security hardening, monitoring & available tools
____
SAP processes personal data

It is not uncommon to hear statements that SAP does not contain personal data and thus that SAP as a system would not be subject to GDPR requirements. However, the meaning of personal data is very broad, and the term does not only refer to social security numbers and names of individuals. According to GDPR, any information that can be used to identify an individual can be considered personal data.

In SAP, depending on the system being used, personal data refers to different types of information, such as:

  • Employee ID
  • Username
  • Name of the employee
  • Contact details
  • Next of kin and contact information in HCM systems
  • Employee salary data
  • Customer data (names, contact details, bank connections, credit card details and the history thereof)
  • Confidential documents, printing information and emails  


As in your S/4HANA projects, your organisation stores, transfers and otherwise processes personal data, the GDPR enters into play.

Preparing for possible unfavourable outcomes in organisational operations raises the question of accountability. It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues. For the S/4HANA projects this means that the management must ensure that the system has been implemented in a way that mitigates any potential risks to the organisation.

It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues.

How to build privacy by design and by default into the S/4HANA project?

The GDPR requires privacy to be built in by design and by default. This basically means that in S/4HANA projects it is crucial to take privacy and cybersecurity into consideration at the earliest. As a leader , you should do the following:

  1. Name privacy and cybersecurity professionals to the S/4HANA project team. This way these professionals can raise concerns   and solutions throughout the project, and you will not be at risk of using additional budget to fix configurations later.
  2. Ensure that S/4HANA project team members are trained and instructed on the most common cybersecurity and privacy risks and pitfalls.
  3. Require the project to conduct risk assessments. Note that many of these are required by law and need to be completed in the very early stages of the project.
    1. During the implementation phase of the process, you transfer large data sets to a new system and thus, a Data Protection Impact Assessment (DPIA) is key in achieving compliance.
    2. As S/4HANA is a cloud-based system, conducting a Transfer Impact Assessment (TIA) is highly recommended. 
  4. Verify that mitigation actions which arise from the above assessments are implemented. In essence, each recommendation should clearly indicate responsibility and a deadline.
  5. Ensure that all decisions, assessments and mitigation actions are documented and stored centrally so that your organisation is able to demonstrate compliance. 

___
Authors:

Christian Wischnack
Oona Matinpalo

Get in touch with our team

Reach out to your local S/4HANA & cybersecurity contact:

Finland & Denmark

Jouni Viljanen

Jouni Viljanen

Operational Risk Leader

Jouni toimii Deloitte Suomen operatiivisten riskienhallinnan palveluiden johtajana. Hänen erityisosaamistaan on teknologian ja analytiikan hyödyntäminen organisaatioiden riskienhallinnassa ja sisäisessä valvonnassa. Hänellä on myös pitkä kokemus IT-riskienhallinnasta sekä IT-kontrolliympäristöjen ja tietoturvan auditoinneista osana sisäisiä ja ulkoisia tarkastuksia. Briefly in English: Jouni is working as partner in Operational Risk services at Deloitte Finland. His special expertise is to leverage modern technology and analytics in Risk Management and Internal Controls. He has long experience in risk management and leading the audits of IT controls and IT security as a part of external and internal audits.

Anh Nguyen

Anh Nguyen

Partner

Anh is part of the technology enabled GRC team focusing on business driven transformations from an Internal Controls and Compliance perspective. He has extensive experience designing and optimizing Risk Management processes and frameworks including managing business impact and change management Anh is specialized in technology enabled optimization incorporating innovation in transformation projects, turning risks into competitive advantage.

Norway & Sweden

Erling Pettersen Hessvik

Erling Pettersen Hessvik

Partner

Erling er partner i Risk Advisory og hjelper våre klienter med å håndtere teknologirisiko og cybersikkerhet.

Peter Ostlund

Peter Ostlund

Partner

Peter Östlund is a Partner within Risk Advisory. He is responsible for our IT Risk and Assurance services. He has many years of experience from working with IT and Cyber Risks, Information security, IT audit and third party assurance reports. Peter holds a master´s degree in Computer Science and a bachelor´s degree in Business administration from Uppsala University, Sweden.