GDPR and SAP

Volker Lehnert has worked at SAP for eight years. He has worked for SAP (Switzerland) AG since 2008, where he is a consultant on all topics concerning the authorization system, and continuously returns the authorization system to its core questions: business functions, organizational concepts, and legal requirements. Within this scope, his consulting work focuses on authorization concepts, SAP BusinessObjects Access Control, and the processes of User Life Cycle Management. Furthermore, Volker Lehnert is co-author of the data privacy guideline of the German-speaking SAP User Group (DSAG).

Foreword
Preface
Objective of the Book
Composition of the Book
Acknowledgments
Introduction to General Data Protection Regulation
What Does the GDPR Mean for you?
Which Requirements Require Technical Support?
Which Requirements Can Be Technically Supported?
Summary
Personal Data in SAP Business Suite and SAP S/4HANA
SAP Business Suite and SAP S/4HANA Data
Personal Data in SAP ERP
Personal Data in SAP ERP HCM
Personal Data in SAP CRM
SAP Business Suite Technical Integration Example
Summary
Implementation Approach
Project Implementation Steps
Record of Processing Activities Approaches
Summary
Blocking and Deletion with SAP Information Lifecycle Management
Introduction to SAP ILM
Preparatory Steps
Blocking from a Business Perspective
Deletion from a Business Perspective
Legal Case Management
Time-Based Blocking of Personal Data in Personnel Management
Summary
Purpose-Based Processing
Controller and Purpose
Organizational Structures (Line Organization)
Process Organizational Structures
How Organizational Structures Define Purpose
Summary
Data Controller Rule Framework
Data Controller Rule Framework
Summary
Authorization Concept
Users and Authorizations: An Introduction
Rethinking Organizational Levels
Defining Process Attributes
Authorization Risks
Summary
Information Retrieval Framework
Transparency: Access to Data and Information
Setup of the Information Retrieval Framework
SAP ILM Objects in the Information Retrieval Framework
Creating an Information Retrieval Framework Data Model
Handling a Data Subject Request
Central Instance
Further Technical Information
Summary
Read Access Logging
Scope of Read Access Logging
Setup and Maintenance
Logging Purpose and Domains
Recordings for User Interface Channels
Configuration
Evaluation of Logs
Configurations for Remote API Channels
Conditions
Transport, Import, and Export
Summary
SAP Master Data Governance
Master Data Maintenance Scenarios
Maintaining Sensitive Data
Organizational Separation
Data Quality Assurance Using Services
Summary
SAP Test Data Migration Server
Use Cases
Structure and Functionality
Integration of the System Landscape in SAP TDMS
Data Protection with SAP TDMS
Summary
Accountability: Protection, Audits, Controls, and Documentation
Control Frame and Principles of Processing
Lawfulness, Fairness, and Transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability
Abstract Technical Controls
Technical Control Actions: Examples
Summary
Appendicess
Relevant Transactions, Reports, and SAP Notes
The Authors
Index