Change is a part of every business for most HR executives.  Whilst the business world is evolving rapidly, most HR leaders are focused on driving transformation within their businesses and managing external change, such as preparing for the enforcement of General Data Protection Regulation (GDPR). For those of you who love the quotes predicting challenges about the adoption of more secure practices around sensitive data, “warning: experts say you are going to struggle,” this blog is dedicated to you.  For many people, preparation for GDPR started long ago…

Wherever you are in your GDPR journey, here are some actionable steps you can take to ensure your SAP SuccessFactors HCM system is GDPR Compliant:

Determine if you are impacted by GDPR

The GDPR revises and modernises the 1995 Data Protection Directive.  In a world where many internal and external people touch sensitive data, it sets clear requirements regarding the rights of the individual and establishes the obligations of those responsible and accountable for processing the data.  Perhaps most importantly it clarifies the requirements for compliance and the scope of sanctions for those in breach of the rules.  It is critical to understand that the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

Understand what is considered personal data

Under GDPR, Personal Data is now defined as relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of Personal Data May Include:

  • Name
  • Identification number (i.e. National ID, National Insurance Number, SSN)
  • Location data (i.e. home address)
  • Online identifier (i.e. e-mail address, screen names, IP address, device IDs)
  • Biometric data (i.e. facial recognition, fingerprints)

Define Key Roles Regarding Data:

Clearly defining the key roles regarding data is critical to the successful implementation of GDPR.  You need to clearly define who the controllers, processors and consultants are of your organization, and what data access and policies are identified and aligned for their roles.

The Controller may be defined as the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processors are the agencies, companies or other body which processes personal data on behalf of the controller. They share critical responsibility and accountability under the GDPR.

In the HCM cloud world Solution Providers like Rizing who provide consulting services also have a role in ensuring client data policies and processes are followed throughout implementations and support services.

Ensure Awareness

It is essential that your organization’s Data Protection officer and their teams clearly share data policies and processes with everyone participating in working with Personal Data.  Each role is critical to the successful protection of data and understanding your company’s specific policy and procedures will be necessary to ensure compliance.

Prepare your SAP SuccessFactors System

You must ensure your systems are prepared by configuring pre-requisite functionality in your systems prior to May 25, 2018.

The GDPR pre-requisites include:

  • Enabling Role Based Permissions (RBP) as the permission structure
  • Enabling Metadata Framework (MDF)

While not required, I highly recommend also enabling the Fiori user interface to get the most out of the system features, functions and modules.

Educate and implement SAP SuccessFactors GDPR functionality

Educate yourself on the functionality and find the right resources to successfully implement it for you.

The 2018-Q1 release includes Data Protection and Privacy functionality to facilitate GDPR compliance.  SAP SuccessFactors’ strategy is to support the GDPR today and put stronger safeguards in place to help prepare for future regulatory changes.  SAP SuccessFactors has also released a fantastic interview with their product-focused legal expert.

This additional SuccessFactors Data Protection and Privacy functionality to support auditing and reporting is scheduled for deployment via a special release in 2018-Q2.

Join Others

Join the SAP SuccessFactors GDPR Discussion Forum.  Engage with other SuccessFactors customers, partners and product experts and share your questions and feedback.