5 profound pitfalls while getting your SAP HCM ready for GDPR compliance
Since the new European regulation came into force in May 2018 the companies have started the race to ensure compliance with the General Data Protection Regulation.
This race gave rise to a lot of new services as the GDPR involves different departments, requires various expertise and demands the implementation of multidisciplinary projects. The implementation of theoretical concepts into good practice is highly challenging. This task may become a real puzzle and a waste of time!
Adessa have successfully upgraded SAP HCM systems for many international customers to make them compliant with the new regulation. We would like to share our strong experience in this matter and point out 5 main pitfalls we have most frequently encountered.
Pitfall 1: GDPR compliance is only a legal matter and administrative work.
Usually GDPR projects are carried out by legal, or compliance, department or are integrated into a specific project. The HR department is rarely a priority although they process and transfer personal data on daily basis. And its nature is more confidential and often highly sensitive.
Personal data is mainly stored in your SAP HCM system. Even though your working contract is fully compliant with GDPR, this does not mean that your system is. You are a controller of the information and therefore it is your responsibility to apply the GDPR to your system. SAP provides you with a few tools, but it doesn’t mean you are compliant. That is why it is vital to set up a project specifically focused on SAP HCM compliance.
Moreover, when such a project is implemented it is often limited only to the revision of the authorisations. Restricting GDPR to the concept of “propose limitation” is biased. And let’s not talk about other principles such as “lawfulness, fairness and transparency”, “data minimization”, “accuracy” or “data subject right”, …
Pitfall 2: You have no choice but to purchase an additional expensive software to get your system compliant.
It’s a common mistake that you need to invest money into an expensive external solution to be compliant. You rather need a specific project focused on and adapted to your system. HR oriented project also needs to include your SAP HCM system review. Your internal sources might be enough to carry out such a project. However, an experienced and result-oriented partner can accelerate the implementation of it and help to reduce the risks and costs. It is as simple as that!
Pitfall 3: Implementing a project without a proper risk assessment or, on the contrary, make a data protection impact assessment on all the HR processes.
Be action oriented! Launching a project of SAP HCM compliance without first identified current risks is a waste of time and money. On the other hand, a well conducted risk assessment sets up an efficient and priority-oriented approach. It is unnecessary to take actions to reduce nearly inexistent risks. Inversely, it is also needless to conduct deep research and Data Protection Impact Assessment (DPIA) on all the HR processes.
First, you identify the main risks resulted from the use you make of your system and business processes. Second, you define actions that will mitigate these risks in order of priority.
This action plan enables you to keep your feet firmly on the ground, to be aligned with your operations and to limit the compliance costs.
Pitfall 4: There is a legal ground to process personal data in non-productive environment.
It’s a delicate topic… What happens to the personal data in non-productive environment? Especially when this data has been copied from the production to quality and development systems? In this case it is also compulsory to have a legal basis for processing personal data by the technical team. Justify it with legal grounds such as “performance of a contract”, “consent”, “legitimate interest of the controller”… This becomes even more complicated to handle and document.
In addition, have you checked the integrity and the confidentiality of your system infrastructure in the non-productive environments?
If one of the above-mentioned issues is not covered, you need to anonymise or mask data in non-productive environment.
Pitfall 5: Neglecting the training and GDPR awareness of your SAP HCM architects and functional/technical team.
It is also essential to train IT architects, functional and technical staff in charge of SAP HCM as they are going to develop and implement technical solutions for your department. Therefore, they are your guarantee that these solutions are fully compliant from their development and during the whole lifecycle of the processes. Properly trained, they will guarantee the respect of the principles of the personal data protection by design and by default of the solutions they develop.
Based on our experience, we can claim that SAP do not offer an extensive range of tools that can be easily configured and adapted for HR needs in the process of GDPR compliance implementation. We have encountered this issue many times and to satisfy the needs of our customers Adessa developed a unique and innovative approach.
Our GDPR for HCM approach is a set of technological components gathered in a cockpit. Practical tools with a down-to-earth approach offer a customer-tailored solution adapted to your needs and mitigating the risks. All this to ensure a long-term compliance.
Our technical and functional team have extensive experience not only in SAP HCM solutions but also in conducting GDPR projects.
Would you like assistance in preparing your SAP HCM for GDPR compliance?
Adessa can help you to accelerate the implementation of your compliance project, mitigate the risks and to significantly reduce the costs.
Please fill in your details below, so we can contact you.