- Posted by Pieter van Reisen
- On 8 September 2017
- 0 Comments
Welcome to the newsletter from HuRis Support about the new European General Data Protection Regulation, the GDPR. The goal of the regulation is to protect and empower all EU citizens data privacy and to reshape the way organizations approach data privacy.
The new regulation will have impact on all European businesses and businesses all over the world who process personal data for European citizens. The GDPR will be applied on the 25th of May 2018.
GDPR is all about accountability regarding personal data handling and being able to demonstrate how you handle it. SAP has been developing tools to support your organisation to be compliant to the GDPR including Human Resources tools. Note that these tools are only a part of the actions your organisation should be working on.
Although legislation and jurisprudence is needed to fully define the needed actions and processes for organisations, the main elements of the GDPR provide a good guidance to make a start.
Personal data protection by design
Personal data protection by design is essential in the GDPR. Personal data protection safeguards and privacy-friendly default settings have to be the norm.
Storing or processing personal data should be legitimate, if not, the personal data must be deleted or fully anonymised. This is about protecting the privacy of individuals, it will not involve erasing past events or restricting freedom of the press.
Organisations need to be able to show that they are compliant to the GDPR. They need to know which personal data they are storing, for what purpose and how they protect it. The personal data accountability includes storing a minimum of personal data only when needed, correction of wrong personal data, security of personal data to prevent loss or unauthorized access.
Consent by person
Consent for the handling of personal data must be specific, clear and provided without costs to a person. For example, consent is needed for storing a resume, longer than the vacancy an applicant applied for.
Control by person
A person can request insight in his or her personal data. Organisation should be able to provide a copy and correct or delete personal data when requested, if there is no legitimate ground for retaining it.
HR system tooling for GDPR compliancy
SAP has checked their current functionality to the new demands from GDPR. Next to existing reporting, auditing, security, authorisation functionality, some new functionality has been or will be added. SAP provides HR-tools for implementing GDPR in your HR system.
To be compliant to the new rules SAP has developed new tooling and functionality. This functionality is already available in up-to-date HCM systems.
- Time related authorisation: A further development on existing authorisation where it is now possible to authorise within timeframes.
- Removal of infotype personal data: Removal is done with the Information Lifecycle Management (ILM). It is now possible to automatically remove personal data on predefined timeframes.
To be compliant to the new regulation SAP-SuccessFactors is developing new tooling and functionality. This functionality is on the roadmap for the Q1 2018 release.
- Obtain consent from persons outside your organisation. For example, when a person agrees to receive future job postings in the Recruitment module.
- Auditing and reporting on read/change access on personal data.
- Person can access personal data and customer can report on personal data stored in the cloud service.
- Personal data can be corrected and changed subject to personal data retention and customer policies.
- Personal data deletion will be supported by purge tools.
- Access to historical personal data (for example, past performance reports) can be limited or blocked.
- Data is portable – that is, exportable in standard format during and shortly after subscription term.
The first step we suggest is to assign someone in your (HR)organisation, who is responsible for implementing the GDPR, for example a Data Protection Officer. Your HuRis consultant will work with your DPO to assess and implement the necessary steps to comply to the GDPR.
If there are any updates in the SAP tooling regarding GDPR we will keep you updated.
Please contact us for questions, more information or implementing one or more of the functionalities mentioned.
HuRis Support Team
Tel: +31 6 30 40 50 30