SNP Schneider Neureither & Partner : Getting ready - U.S. GDPR Implementation Plan for SAP

With less than 110 days left, many organizations still aren't ready to meet the GDPR implementation deadline on May 25th. Especially in the United States, businesses have been slow to understand this new regulation and how it applies to them. Its name, the EuropeanGeneral Data Protection Regulation, has misled businesses to believe that the regulation applies only in the EU.

Does GDPR apply for the U.S.?

Yes. As long as you store the personal data of a EU citizen, such as a prospect, customer, business partner, vendor or even an employee, GDPR applies to you. And non-compliance risks stiff fines; the penalties for non-compliance have been set at 20 Million EUR or 4% of the worldwide turnover, whichever one is higher. (1).

Which department has the highest risk of non-compliance?

Just when you thought you could 'narrow down' the departments of interest, you'll find that f GDPR impacts every organization across your business. Sales, Marketing, HR, Legal, IT, Finance, … the list goes on. Rarely ever does a new regulation affect so many different business areas as GDPR. It is key that you truly know your business processes, automated or manual, and know exactly when personal data is used or shared.

Is my SAP ERP a risk factor?

The answer is yes, again. SAP systems touch a variety of personal data. Knowing your Business Processes really is key in order to be GDPR compliant. But that is often easier said than done. Have all processes always been 100% documented in every detail? Often documentation suffers when a project needs to be implemented fast; files have not been shared and employees exit the organization, taking their knowledge of the ERP processes with them.

Am I responsible for my U.S.-based third party integrations when it comes to GDPR?

Yes, yes and yes! Third party or not, as long as information is being exchanged with your SAP systems you are responsible. The risk is even higher when third party tools are involved. Interfaces are often not accurately documented, making it more difficult to update your systems to ensure GDPR compliance. Knowing your interfaces (used or unused), is crucial.

How do I encrypt the personal data that I must store in order to be GDPR compliant?

First of all, you start with the cleanest and most consolidated database possible. The less data you have to worry about the better. But for the data that you have to store (Let's just think about our friends from Legal or Finance who have to store data for 6+ years!) you need to make sure that the personal data is encrypted properly.

For better understanding you may want to check out this infographic regarding U.S. GDPR Impact.