There’s a lot happening in Europe at the moment. The United Kingdom is leaving the bloc of 22 European Union (EU) nations after the uncomfortably close national referendum vote that led to Brexit. France and Germany are busy getting along better than at any time in recent history, given their new status as de facto dual leading European nations.

As if the European Union (EU) didn’t have enough on its plate right now, the General Data Protection Regulation (GDPR) will take effect on May 25, 2018. Though it’s an EU regulation, the GDPR has the potential to send a ripple effect throughout any business in the world with data on European citizens within its systems.

What is the GDPR, and Why Should North America Care?

This new piece of legislation is intended to protect individuals’ data rights. It requires that any organization holding personal data for EU individuals must show that it has taken a defined level of compliance steps to protect that data. To become GDPR compliant, organizations must also show that they comply with stipulations governing how that data is managed and audited.

What kind of EU citizen personal information does it cover? The extent of the answer may surprise you. It includes credit card numbers, banking details, health reports, and even user data as seemingly insignificant as video game login details.

GDPR, a Global Issue

Which nations are affected by GDPR? The answer is sweeping. It will apply to all European firms, including the British (despite their EU departure). It will also affect all global firms including those in the United States and Canada that hold any personal data relating to EU citizens. Deeper still, any U.S. or Canadian firm that offers goods or services to EU residents or monitors their commercial or personal behavior in any form (such as tracking their buying habits), will be required to comply with the GDPR.

A Potentially Expensive Data Problem

According to mlaw group, "The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4 percent of worldwide turnover."

That last line was important. The EU has promised that it will issue penalties to North American firms (or any foreign organization) of up to 4 percent of worldwide turnover. Can North American firms just ignore those fines if they come? It’s difficult to say how the international legal ramifications and consequences would ultimately play out, but we can safely assume that it would dent any firm’s ability to continue trading with Europe in a full-blown capacity.

GDPR, an Issue for SAP Customers

It’s not hard to form the logical link between GDPR and SAP systems. As ASUG members are all too aware, the majority of SAP systems are deployed in what are classified as mission-critical environments where business data relates to specific people and entities. SAP itself has reminded enterprises that they need to carry out Data Protection Impact Assessments (DPIAs) as a part of their overall risk management strategy to address GDPR. Many ASUG members may also now be thinking about appointing a Data Protection Officer–if they don’t have one already.

The Risk of Dark Data May Lurk in Your Systems

The risk with GDPR amplifies when companies harbor so-called dark data. Gartner defines dark data as the information assets organizations collect, process, and store during regular activities, but generally fail to use for other purposes such as analytics or direct monetization. This is the type of data that SAP customers may have in their vaults right now and regard as innocuous or inconsequential. But it could put companies at risk of GDPR noncompliance.

Once GDPR enforcement starts, companies can retain personal data for EU citizens if it is still being used for the original purpose that was stated to that individual when the data was collected. And companies must delete this personal data when it is no longer needed for that purpose.

“When it comes to GDPR preparedness, on a scale of zero to one hundred, there are quite a few, mostly smaller firms that are at zero, whereas most of the largest firms with international operations are somewhere between 90 and 95, and no one is at 100,” said Timothy Blank, managing partner of the Boston office of the law firm Dechert, LLP and head of its data privacy and cybersecurity practice, in an interview with Reuters.

SAP GDPR Resources

Technologies exist across several of SAP’s major product lines to assist with GDPR compliance. SAP offers four core tools that can help: SAP Information Lifecycle Management, SAP Data Services and Information Steward, SAP Process Control, and SAP Access Control.

SAP provides features and tools that can be used as part of an overall compliance effort, as well. These tools provide key functions, such as locating where personal data exists in your systems, deleting personal data, restricting and logging access to personal data (including reads and changes), and masking personal data to make it anonymous.

SAP Governance, Risk, and Compliance users can sign up for the Customer Engagement Initiative, which gives SAP customers access to a collaborative project designed to help users improve their privacy management programs with SAP Governance, Risk, and Compliance. A comprehensive guide is available here. This document download highlights what you need to know about GDPR and SAP S/4HANA.

Catch up on this topic by watching the recorded webcasts in our GDPR Series.