Understanding GDPR and Information Security: Securing Your SAP Business One Deployment and Your Business

Richard Duffy
Richard Duffy in SAP Business One, Security, GDPR March 07, 2018

GDPR: Just another acronym or something that will affect businesses of all sizes around the world? If you do business with customers in the European Union, the General Data Protection Regulation (GDPR) has significant implications for your business, no matter the size. 

In this post, I am going to clue you in to what GDPR is, why you need to care about it, and what you need to do to get ready for it. This topic is of high importance for SAP customers from SAP Business One to SAP S/4HANA, so expect to hear much more from ASUG in the coming weeks. 

Recent high-profile data breaches have had a significant impact on global business beyond the financial fallout, not to mention the reputational damage suffered by the victims of these breaches. You have probably turned your mind to the data you hold on your customers that is sitting inside your information systems.

ERP and CRM systems are core repositories of this sensitive information. If you have these systems, you need to think about how you are protecting the data that you hold within them.

GDPR – Not Just a European problem

Let's take a moment to quickly review what the General Data Protection Regulation is all about.

The aim of the GDPR is to protect all European Union citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from 1995, when the GDP directive was first established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies to adjust to current challenges caused by today's modern technological climate.

While designed to protect EU citizens, companies outside the EU are also required to be compliant. It's worth repeating again:  If you do business with customers in the European Union, the GDPR has significant implications for your business, no matter the size. 

The key points of the GDPR, as well as information on the impacts it will have on business, are summarized across the key areas from the official GDPR site. I recommend familiarizing yourself with the  core summary of the regulation, covered there in significant depth.

Another helpful resource is the Growth Matters Networka site for small and mid-sized businesses launched by SAP. Some of the recent posts on GDPR provide a nice summary of what you need to know, as well as insights on how it may affect your business. 

Here's a helpful excerpt from Jason Rose's blog: GDPR Is the Y2K of Digital Marketing – In a Good Way

GDPR: What it means

  • What: GDPR gives extensive new rights to consumers regarding data protection and control over their personal information.
  • Where: Regulations apply to residents of the EU and to any organizations that process their data – regardless of where those organizations are based. In today’s global economy, most large organizations interact with EU residents, so GDPR effectively applies to all multinational businesses.
  • When: GDPR takes effect on May 25, 2018. There is no “grandfather” clause – any organization storing personal information of EU residents is subject to penalties immediately. Speaking of penalties, GDPR packs a big punch: Fines can go as high as four percent of an organization’s global revenue or 20 million euros, whichever is greater.
  • WhyThe EU is responding to growing complaints regarding repeated violations of privacy and trust, as well as security breaches that expose consumer data to hackers. It is their effort to tip power back to consumers.

The 3 A's of Preparing for GDPR


Once you have a general understanding of the regulation, the obvious next question is, how do I ensure my business is meeting its requirements around GDPR?

Step one is to make sure your people are aware.

Good news. By reading this blog post, you're on the right track. But awareness should not stop with you.

Ensure that your team, at a bare minimum, reads this blog post and the summary on the GDPR website. Each team member should understand that compliance, data privacy, and protection are everyone's responsibility.

Step two is to make sure your processes are aligned.

Ensure that you have documented a policy for how you will handle your customers' data, how that policy is actioned in all of your processes, and identify the gaps that need addressing. 

Step three is to make sure you take action to address the gaps in your readiness

Identify a privacy/protection officer in your business—no matter how small your business is, this area needs to be identified and managed as a priority.

Build an action plan with prioritized steps to ensure that you don't become the next headline as a result of your data security policies and processes—or lack of them.

The Big Picture – What Does This Mean for SAP Business One Customers? 

Hopefully by this point in our conversation, you have learned that GDPR compliance is an important issue regardless of your company's size or technology suite. (Still not there? I recommend revisiting the "Penalties" section from the regulation summary). 

In our next post on this topic, I will take a look at the technical aspects of preparing your business for the inevitable. Yes, the inevitable. You may not know it, but chances are your business is already under attack. As the old saying goes, an ounce of prevention is better than a pound of cure.

But before that next post, I would like to know your thoughts, concerns, or recommendations. What is your business doing to ensure compliance? Or what questions would you like us to address? As always, we welcome your input via our ONE.Source community forum

Ask a Question or Start a New Discussion

Finally, as I was researching for this post, I came across this infographic by Digital GuardianIt's a good overview of some of the key issues you'll need to address, as well as more background on this important topic. Time to get to work.