This blog is part of our Nordic blog series, ” Why cybersecurity and privacy matter in S/4HANA projects”. Explore other blog posts from this series here:
Part 1 - Setting the scene
Part 2 - Know your data
Part 3 - Ownership & governance
Part 4 - Access management & available tools
Part 5 - Security hardening, monitoring & available tools
____
It is not uncommon to hear statements that SAP does not contain personal data and thus that SAP as a system would not be subject to GDPR requirements. However, the meaning of personal data is very broad, and the term does not only refer to social security numbers and names of individuals. According to GDPR, any information that can be used to identify an individual can be considered personal data.
In SAP, depending on the system being used, personal data refers to different types of information, such as:
As in your S/4HANA projects, your organisation stores, transfers and otherwise processes personal data, the GDPR enters into play.
Preparing for possible unfavourable outcomes in organisational operations raises the question of accountability. It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues. For the S/4HANA projects this means that the management must ensure that the system has been implemented in a way that mitigates any potential risks to the organisation.
It is the leadership and management teams who are primarily responsible for ensuring compliance, and therefore accountable for any non-compliance issues.
The GDPR requires privacy to be built in by design and by default. This basically means that in S/4HANA projects it is crucial to take privacy and cybersecurity into consideration at the earliest. As a leader , you should do the following:
___
Authors:
Christian Wischnack
Oona Matinpalo
Jouni toimii Deloitte Suomen operatiivisten riskienhallinnan palveluiden johtajana. Hänen erityisosaamistaan on teknologian ja analytiikan hyödyntäminen organisaatioiden riskienhallinnassa ja sisäisessä valvonnassa. Hänellä on myös pitkä kokemus IT-riskienhallinnasta sekä IT-kontrolliympäristöjen ja tietoturvan auditoinneista osana sisäisiä ja ulkoisia tarkastuksia. Briefly in English: Jouni is working as partner in Operational Risk services at Deloitte Finland. His special expertise is to leverage modern technology and analytics in Risk Management and Internal Controls. He has long experience in risk management and leading the audits of IT controls and IT security as a part of external and internal audits.
Anh is part of the technology enabled GRC team focusing on business driven transformations from an Internal Controls and Compliance perspective. He has extensive experience designing and optimizing Risk Management processes and frameworks including managing business impact and change management Anh is specialized in technology enabled optimization incorporating innovation in transformation projects, turning risks into competitive advantage.
Erling er partner i Risk Advisory og hjelper våre klienter med å håndtere teknologirisiko og cybersikkerhet.
Peter Östlund is a Partner within Risk Advisory. He is responsible for our IT Risk and Assurance services. He has many years of experience from working with IT and Cyber Risks, Information security, IT audit and third party assurance reports. Peter holds a master´s degree in Computer Science and a bachelor´s degree in Business administration from Uppsala University, Sweden.