Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Privacy by design and default: Purpose & Data Controller driven processing of personal data

Volker-Lehnert
Advisor
Advisor
‎07-19-2023 9:22 PM

Abstract


Within SAP S/4HANA, a major change opportunity in the processing of personal data is planned. SAP plans to provide substantial functionality to adhere even more to the privacy by design and default principle. Purpose-based processing of personal data in S/4HANA shall be technically supported in future. Effectively this will change the possibilities to comply with data protection regulations across the globe dramatically.


With Release 2308 we are providing in a first step the Data Controller attribute and related functionality.

Regulatory Background


Guiding principles of Data Protection have been provided in 1980 by the OECD. These guiding principles have been overtaken in the legislation of various member states as well as in the EU. Already in 1996, the EU-Directive on Data Protection (EC95/46) defined the same requirements as basic principles of personal data processing in Europe. This has been overtaken in the EU-GDPR. These principles are:




  • Collection Limitation Principle

  • Data Quality Principle

  • Purpose Specification Principle

  • Use Limitation Principle

  • Security Safeguards Principle

  • Openness Principle

  • Individual Participation Principle

  • Accountability Principle


Most of the principles are subject to Art. 5 GDPR, only few of them in other Articles. Failing to adhere to these principles is punishable with the highest potential fines. Most of these principles are directly related with the purposes of the processing.


In the past, Data Protection requirements have been usually addressed by single features and measures – purpose driven processing is an holistic approach to solve the named generic and broad requirements of Data Protection. . No single feature in itself is capable to reach compliance with Data Protection but only for named requirements covering single aspects only. The reason is obvious – any measure and even more the combination of all measures taken must protect end to end personal data in relation to the purposes and risks – nothing less. For example: A company encrypting the database but providing non-restricted access to all personal data for all its employees will not achieve compliance.


Within this blog an overview on the aimed final opportunities of purpose-based processing is provided. The technical provision of software features to achieve this is in development.


The whole implementation (achieved, ongoing, planned) is based on several assumptions which are not necessarily identical with the policies established in your organization. SAP S/4HANA provides in this sense only a technical opportunity but no legal guidance on how to handle personal data. It remains the customer's responsibility to conclude the purposes and means of processing personal data.


SAP’s implementation starts with the strengthening of the data controller, followed by data categories and purpose attributes. Still we assume, that customers should be awareabout the full soludtion picture, even so this is potentially subject to change.



Guiding assumptions and definitions for purpose-based processing


First assumption


Privacy by design and default is based on the purposes of the processing of personal data. Only legitimate purposes justify the processing of personal data including the storage of personal data down to the level of single pieces of personal data.


 



Second assumption


Any safeguards implemented are based on the processing purposes and the risk for the data subject.

 



Third assumption


At any point in time, it must be possible to document for which purposes certain personal data is processed.


 



Fourth assumption


Any purpose is linked to an identifiable data controller or – in case of joint controllership – to the data controllers responsible. A very basic implementation of purpose driven processing relies on the data controller, which grants basic data separability.


 



Fifth assumption and basic definition of purpose


The (primary) purpose means the reason and the final goal for which a data controller processes personal data in an End-to-End (E2E) process.


In some cases, one purpose is not (specific) enough, obviously, there could be differences for data (categories) regarding




  • Retention Periods,

  • Access or

  • Transfer of Data.


The E2E process may further be specified into more detailed complementary, inherent or in other consequence subsequent purposes. Although they are inextricably linked to the primary purpose, these subsequent purposes enable a more differentiated application and use of data protection measures.


 



Sixth assumption and basic definition of data categories


A data category is an entity, that includes a set of data fields (attributes of the data subject or a data subject's business object) with similar behavior in the sense of




  • Usage,

  • Meaning,

  • Quality or

  • Risk


in relation to a data subject. In addition, the data assigned to a dedicated data category are intended to be used in at least one processing step as a semantical unit.


From this principle deviating categories are categories provided by legal, international, or national standard or public administration definition.



Concept


Perspective in a Business process – transparency regarding the data controller


Most business processes dealing with personal data start with the creation of master data.. In SAP S/4HANA this is done for customers and suppliers using the business partner. During the creation and the further processing, it is possible to assign several hundred information pieces of quite different quality in terms of risk for the data subject. Based on the fourth assumption the link to the responsible data controller / data controllers is required, because regularly business with data subjects is done between identifiable entities: The legal entity aka data controller on one hand and the data subject on the other hand. Generally, business relations are not established with a complete group of companies.


The assignment of personal data to data controllers provides clarity about who is organizationally responsible and authorized to deal with the data. The assignment to the data controller also provides generic transparency regarding applicable retention periods, differing from country to country as well as in industries. Finally, the assignment supports any data subject request regarding information, correction, and deletion.



Perspective in a Business process – transparency regarding the purpose


Knowing the responsibility for personal data is just a starting point, the aim is to identify why this data is used in one or several business processes, vice versa, not all available personal data in a business process is relevant for each single step of a business process (fifth assumption). The controller assignment provides a basic separation opportunity, but the purpose assignment provides a fine granular opportunity to differentiate data according to data categories (sixth assumption) and the purposes of the processing.



Differentiating purposes


As declared in the fifth assumption, the primary purpose in the provided logic aligns with the E2E business process. In an ERP-system the primary purpose usually correlates with the contract (including pre-contractual steps). Everything directly required to fulfill the contract is usually covered by the primary purpose. Still additional differentiations are possible, for instance if the delivery handling shall get separated.


In our abstraction, we assume that legal obligations leading to specific residence or retention requirements, such personal data is linked to an own supplementary purpose. . Business is not done to pay taxes, but within any business proceedings tax considerations and tax retention requirements must be followed. But – if data is kept for tax requirements only – then any other / further processing should be restricted and the data must be deleted once this purpose has gone. But if you want to use this data e.g. for extended customer analysis, just make sure that these purposes are also assigned.


 


The figure indicates how in addition to the primary purpose “Sales” supplementary purposes are assigned: “Accounting”, “Warranty”, “Product liability” “Dunning” as well as “Marketing”.



Differentiating data categories


SAP will deliver   data categories according to the definition provided in the sixth assumption. This generally leads to fine granular data categories in the Business Partner and more generic data categories in the transactional handling. Transactional data is regularly categorized reflecting the relevant business artifacts. In the figure this is indicated: the contract will be of data category “contract data”.



Technical consequences


Once categories and purposes are maintained, relevant processing steps can be based on the purposes of the processing:




  • Data Life Cycle

  • Data Access

  • Data transmission / transfer

  • Data security

  • Information of the data subject

  • Objection handling

  • Accountability


And finally, evidence of accountability as one of the most challenging requirements can be easily achieved.



Overview on features & functions


Purpose Agent (Support)


A fine granular purpose handling requires support for the maintenance of purposes. This will be provided with the purpose agent, where you have can configure the relation between your line-organizational and process-organizational set up to the purposes: E.g. A certain sales order type in a certain company code is linked to the purpose “Sales ABC”, the Purpose Agent will derive from the organizational attributes the purpose.



Data Lifecycle


The data lifecycle of personal data is completely linked to the purposes of the processing. Either there are purposes to process personal data or not. If not, the data must be deleted. The easiest way to reach and document this is obviously to maintain purposes accordingly and delete the data once the purposes have gone.


Categories of personal data will play a key role. Currently mostly a logic is followed that most personal data is kept until all retention periods have passed. Fine granular data categories  in the BP will allow partial deletion, as soon as the purposes for these specific data categories have passed.



Data Access - Authorizations


The authorization concept will mainly change regarding the Business Partner itself including related search helps. Here additional authorization objects will get provided. For transactional data, the authorization concept will rely on the existing authorization object, allowing a purpose differentiation using line organizational (e.g. company code) and process organizational attributes (e.g. order type). Only in cases where additional differentiation of data categories within a business artifact is required, additional authorization objects have to be considered.



Data transmission / transfer


With the indicated changes in the authorization concept, SAP S/4HANA supports a more focused transfer of personal data, allowing in future also to transfer with the data the purposes of the processing.



Data security


Data security hast to be evaluated regarding the risks for the data subject and the purposes of the processing. Here the model provides granular opportunities, to conclude which safeguards are suitable and provides finally the opportunity to document conclusions and safeguards.



Information of the data subject


Information for the data subject is provide with the Information Retrieval framework. In the past there has been the opportunity to document manually the purposes with the information. Once implemented and configured, the purpose model will provide automatically the purposes on data category level why certain data is processed.



Objection handling


Personal Data in S/4 is handled in relation to contractual proceedings. The objection of a data subject has been challenging in the past, because if the objection had to be overridden, the necessity arose, to provide evidence which compelling legitimate grounds for the processing are valid. With an implemented purpose concept, compelling ground are most easily provided with the purposes on the data categories why certain data is processed.



Accountability


Finally, everything related with Data Protection is also about the accountability, or in other word being able to provide evidence, that the right safeguards according to the risk for the data subject has been in place, the right retention policies has been applied and all data subject rights have always been fully fulfilled. This again is about what data, why is it processed and how is it protected: In other words: Data Categories, purposes and the usage of features and safeguards.



Implementation considerations


Follow up



Current Implementation Status


As of release 2308 we are delivering the data controller functionality cross SAP S/4HANA allowing data separation along the new attribute “data controller” to provide this as a new baseline capability to differentiate Business Partners along their assignment to organizational units on the level of responsible entities aka data controller. This delivery is the first but important step to implement technically purpose-based handling of personal data.


 

 

 
Labels:
2 Comments
Popular Blog Posts