Six lessons we’ve learned about the GDPR

Data protection and privacy has always been a top priority at SAP. As well as being a leading cloud company responsible for processing large volumes of customer data safe and secure, we’re also a large global employer with nearly 88,000 employees around the world – and a significant proportion of these are based in the EU. Our existing global data protection and privacy policy outlines a minimum standard for handling personal data in compliance with current regulations. Like every other company that processes the personal data of EU residents, we needed to review this policy and our working practices in line with the requirements of the General Data Protection Regulation (GDPR).

The program has been invaluable in enabling us to identify opportunities for re-engineering and automating processes, refine best practices, enhance our software, and road-test our applications. As we support our customers on their GDPR compliance journeys, I thought it might help to share some useful lessons we’ve learned based on our own experiences.

1. Act now

The clock is ticking. The GDPR will be enforced from 25 May 2018, so if you haven’t already begun your compliance journey you should start immediately. For some organizations, achieving compliance may only involve some fine-tuning of existing policies and processes, but for others with more complex requirements it may necessitate more fundamental changes. While most of the publicity focuses on this deadline and the severe penalties for noncompliance, it’s important to remember that the GDPR is a continuum and organizations also need to demonstrate ongoing compliance after that date. 

At SAP, data processing is our core business so we had the advantage of starting early. We are on target to achieve compliance by 25 May 2018, but we are also aware that further improvements – particularly the automation of manual processes – will still be needed in certain areas as we move forward.

2. Build the right team

The GDPR isn’t just an IT issue, it potentially affects all areas of the business and the composition of the program team should reflect this. Who takes the lead will depend on the individual organization as structures, priorities, resources, and levels of complexity will vary. In SAP’s case, our GDPR compliance program has been a cross-board project led by SAP Data Protection & Privacy (DPP) and under close oversight by the executive board.

We found that as the project progressed, the team needed to evolve as different skills and knowledge were required. Following the initial analysis and planning stages, for example, the team expanded to include IT architects, developers and consultants as we entered the execution stages.

3. Engage with key stakeholders

One of the key elements of the GDPR is accountability, and this is a board-level responsibility so it’s essential to get buy-in from key business stakeholders from the start. Once the SAP board had approved our GDPR plan, DPP established a program structure that involved several lines of business with an executive sponsor, business leader and program manager assigned to each.

This is particularly important to ensure you can allocate the right resources to the program. Like any other large organization running multiple initiatives concurrently, resource and budget constraints were one of the hurdles we had to overcome as reallocating someone to the GDPR program created a backfill requirement elsewhere.

4. Focus on people, process, and technology

If there was a program that required focus on people, process, and technology, GDPR is it. From a people perspective, communicating to a large global workforce is a particular challenge. SAP is currently rolling out a company-wide training and awareness system to ensure that every SAP employee is aware of the data protection guidelines and understands their accountability for processing personal data in a compliant manner. From a process perspective, SAP DPP and SAP IT have developed the Procedure Enrollment Tool (PET) to capture and record all procedures that process personal data, and this is currently being used by lines of business and IT. From a technology enablement perspective, systems are currently being upgraded, developed, and tested to ensure business processes are processing personal data in line with GDPR requirements.

5. Choose the right tools for the job

IT had a dual role in SAP’s GDPR program. The first was to address our own internal data processes and procedures, and we were in the fortunate position of being able to use our own products to address GDPR requirements. The second role was to work closely as a co-innovation partner with our development organization to understand what features were needed for GDPR in our solutions from a customer perspective.

6. Get your business fitter for the digital economy

Our GDPR compliance journey has confirmed our belief that transforming the way you handle data and manage risk and compliance is a catalyst to getting your business in better shape for the digital economy. SAP’s growth has been both organic and through acquisitions, and our next challenge is the centralization of personal data from multiple line of business systems into a single central system. This will remove duplication, increase data processing efficiency, and limit our exposure to data privacy risk.

SAP is a large and diverse global organization, and our GDPR compliance program has been challenging at times. But it has also provided a valuable learning experience across the organization, and for our consulting and development teams in particular. I am pleased to say that this practical knowledge – supported by our broad portfolio of integrated data management and governance, risk, and compliance solutions – is already helping SAP customers as they progress on their GDPR compliance journeys.

Although 25 May 2018 is a landmark date, GDPR compliance is an ongoing process and we will continue to learn valuable lessons as we move forward. If you would like to find out more about our experiences and how we could help, please get in touch today.

For more information visit here.