Preparing your SAP SuccessFactors HCM for GDPR Compliance

By Hope Bailey, Chief Customer Officer, GVP/GM Delivery & CHRO

Change is a part of every business for most HR executives.  Whilst the business world is evolving rapidly, most HR leaders are focused on driving transformation within their businesses and managing external change, such as preparing for the enforcement of General Data Protection Regulation (GDPR). For those of you who, like I, love the quotes predicting challenges about the adoption of more secure practices around sensitive data, “warning: experts say you are going to struggle,” this blog is dedicated to you.  For many people, preparation for GDPR started long ago…
Wherever you are in your GDPR journey, here are some actionable steps you can take to ensure your SAP SuccessFactors HCM system is GDPR Compliant:

1) Determine if you are impacted by GDPR:

The GDPR revises and modernises the 1995 Data Protection Directive.  In a world where many internal and external people touch sensitive data, it sets clear requirements regarding the rights of the individual and establishes the obligations of those responsible and accountable for processing the data.  Perhaps most importantly it clarifies the requirements for compliance and the scope of sanctions for those in breach of the rules.  It is critical to understand that the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

2) Understand what is considered Personal Data:

Under GDPR, Personal Data is now defined as relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Examples of Personal Data May Include:

  • Name
  • Identification number (i.e. National ID, National Insurance Number, SSN)
  • Location data (i.e. home address)
  • Online identifier (i.e. e-mail address, screen names, IP address, device IDs)
  • Biometric data (i.e. facial recognition, fingerprints)

3) Define Key Roles Regarding Data:

Clearly defining the key roles regarding data is critical to the successful implementation of GDPR.  You need to clearly define who the controllers, processors and consultants are of your organization, and what data access and policies are identified and aligned for their roles.

The Controller may be defined as the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processors are the agencies, companies or other body which processes personal data on behalf of the controller. They share critical responsibility and accountability under the GDPR.

In the HCM cloud world, Solution Providers, like Aasonn who provide consulting services, also have a role in ensuring client data policies and processes are followed throughout implementations and support services.

4) Ensure Awareness

It is essential that your organization’s Data Protection officer and their teams clearly share data policies and processes with everyone participating in working with Personal Data.  Each role is critical to the successful protection of data and understanding your company’s specific policy and procedures will be necessary to ensure compliance.

5) Prepare your SAP SuccessFactors System

You must ensure your systems are prepared by configuring pre-requisite functionality in your systems prior to May 25, 2018.

The GDPR pre-requisites include:

  • Enabling Role Based Permissions (RBP) as the permission structure
  • Enabling Metadata Framework (MDF)

While not required, I highly recommend also enabling the Fiori user interface to get the most out of the system features, functions and modules.

6) Educate and implement SAP SuccessFactors GDPR functionality

Educate yourself on the functionality and find the right resources to successfully implement it for you.  A good start will be to attend my webinar on GDPR Preparedness for your SuccessFactors system.

The 2018-Q1 release includes Data Protection and Privacy functionality to facilitate GDPR compliance.  SAP SuccessFactors’ strategy is to support the GDPR today and put stronger safeguards in place to help prepare for future regulatory changes.  SAP SuccessFactors has also released a fantastic interview with their product-focused legal expert that I recommend reading.

This additional SuccessFactors Data Protection and Privacy functionality to support auditing and reporting is scheduled for deployment via a special release in 2018-Q2.

7) Join the GDPR Discussion!

Aasonn will be hosting a webinar on, Is your SAP SuccessFactors System GDPR Compliant?, Thursday 22-March.  Please join the discussion and learn how we may support you in your journey.  I will be hosting a Customer Round Table on GDPR in early April, please contact Our Customer Success Team if you would like to participate.

Join the SAP SuccessFactors GDPR Discussion Forum.  Engage with other SuccessFactors customers, partners and product experts and share your questions and feedback.




An accomplished human resources executive, Hope Bailey has international and diverse industry and business strategy experience in Fortune 500 and FTSE Top-5 organizations. She is a strategic business partner who effectively drives results that consistently exceed targets; with an accomplished track record of setting vision, building high-performance teams, delivering results and collaborating cross-functionally to increase revenues, grow sustainable profits and increase firm/shareholder value. Follow her on Twitter @HopeBailey214



Disclaimer: This blog is a commentary on the GDPR, as Aasonn interprets it, as of the date of publication.  The application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.  This blog is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization.  We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance.  AASONN MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS BLOG.  This blog is provided “as-is.” information and views expressed in this presentation, including URL and other Internet website references, may change without notice.