The program has been invaluable in enabling us to identify opportunities for re-engineering and automating processes, refine best practices, enhance our software, and road-test our applications. As we support our customers on their GDPR compliance journeys, I thought it might help to share some useful lessons we’ve learned based on our own experiences.
- Act now
The clock is ticking. The GDPR will be enforced from 25 May 2018, so if you haven’t already begun your compliance journey you should start immediately. For some organizations, achieving compliance may only involve some fine-tuning of existing policies and processes, but for others with more complex requirements it may necessitate more fundamental changes. While most of the publicity focuses on this deadline and the severe penalties for noncompliance, it’s important to remember that the GDPR is a continuum and organizations also need to demonstrate ongoing compliance after that date.
At SAP, data processing is our core business so we had the advantage of starting early. We are on target to achieve compliance by 25 May 2018, but we are also aware that further improvements – particularly the automation of manual processes – will still be needed in certain areas as we move forward.
- Build the right team
The GDPR isn’t just an IT issue, it potentially affects all areas of the business and the composition of the program team should reflect this. Who takes the lead will depend on the individual organization as structures, priorities, resources, and levels of complexity will vary. In SAP’s case, our GDPR compliance program has been a cross-board project led by SAP Data Protection & Privacy (DPP) and under close oversight by the executive board
We found that as the project progressed, the team needed to evolve as different skills and knowledge were required. Following the initial analysis and planning stages, for example, the team expanded to include IT architects, developers and consultants as we entered the execution stages.
- Engage with key stakeholders
One of the key elements of the GDPR is accountability, and this is a board-level responsibility so it’s essential to get buy-in from key business stakeholders from the start. Once the SAP board had approved our GDPR plan, DPP established a program structure that involved several lines of business with an executive sponsor, business leader and program manager assigned to each.
This is particularly important to ensure you can allocate the right resources to the program. Like any other large organization running multiple initiatives concurrently, resource and budget constraints were one of the hurdles we had to overcome as reallocating someone to the GDPR program created a backfill requirement elsewhere.
- Focus on people, process, and technology
If there was a program that required focus on people, process, and technology, GDPR is it. From a people perspective, communicating to a large global workforce is a particular challenge. SAP is currently rolling out a company-wide training and awareness system to ensure that every SAP employee is aware of the data protection guidelines and understands their accountability for processing personal data in a compliant manner. From a process perspective, SAP DPP and SAP IT have developed the Procedure Enrollment Tool (PET) to capture and record all procedures that process personal data, and this is currently being used by lines of business and IT. From a technology enablement perspective, systems are currently being upgraded, developed, and tested to ensure business processes are processing personal data in line with GDPR requirements.
- Choose the right tools for the job
IT had a dual role in SAP’s GDPR program. The first was to address our own internal data processes and procedures, and we were in the fortunate position of being able to use our own products to address GDPR requirements. The second role was to work closely as a co-innovation partner with our development organization to understand what features were needed for GDPR in our solutions from a customer perspective.
- Get your business fitter for the digital economy
Our GDPR compliance journey has confirmed our belief that transforming the way you handle data and manage risk and compliance is a catalyst to getting your business in better shape for the digital economy. SAP’s growth has been both organic and through acquisitions, and our next challenge is the centralization of personal data from multiple line of business systems into a single central system. This will remove duplication, increase data processing efficiency, and limit our exposure to data privacy risk.
SAP is a large and diverse global organization, and our GDPR compliance program has been challenging at times. But it has also provided a valuable learning experience across the organization, and for our consulting and development teams in particular. I am pleased to say that this practical knowledge – supported by our broad portfolio of integrated data management and governance, risk, and compliance solutions – is already helping SAP customers as they progress on their GDPR compliance journeys.
Although 25 May 2018 is a landmark date, GDPR compliance is an ongoing process and we will continue to learn valuable lessons as we move forward. If you would like to find out more about our experiences and how we could help, please get in touch today.