SAP users still haven't grasped the implications of GDPR
- Summary:
- GDPR is coming. While members of the UK and Ireland SAP User Group are aware that this is an issue, an overwhelming majority still don't know what to do about it.
GDPR has been constructed around the premise of increased protection of the privacy of users, particularly in relation to the security of personal and customer data. To that end, it introduces new rules for any organisation operating in the EU, or any organisation that handles the data of EU citizens around how businesses must handle the personal data.
Failure to comply with the new regulations will result in fines of up to 4% of total worldwide turnover. This time last year, it was reported that around three quarters of cloud applications didn’t meet the requirements of GDPR. Twelve months on, and with the clock ticking down to the deadline of 25 May 2018, have things improved?
Not so much, would seem to be the answer, certainly as far as understanding of the issue is concerned. According to new research from the UK & Ireland SAP User Group, around 86% of users have yet to grasp the implications of GDPR as it relates to their existing and future SAP inventory.
That said, there is a growing awareness that there’s a ‘something must be done’ moment fast approaching with just under half (49%) of users said they had greater concerns around the security of their SAP landscape than they did 12 months ago, while just over half (51%) of users said they had greater concerns around the compliance of their SAP landscape than they did 12 months ago.
Greater adoption of cloud computing isn’t helping here, not is workforce mobility. Some 53% of users said cloud computing increases compliance challenges around SAP, while a 57% make the same complaint of workforce mobility. That’s a biig issue when the SAP product portfolio is increasingly built around both, admits Brian Froom, Audit, Control and Security SIG Chair, UK & Ireland SAP User Group:
With the continued growth of cloud computing and increasingly mobile workforces, it is a challenge for organisations to fully understand where their data is residing and how it is being accessed. At a time when SAP’s product portfolio is becoming ever more focused on cloud and mobile, it is essential that users fully understand both the technology and its security and compliance implications.
SAP itself has voiced concerns about aspects of GDPR, particularly the punitive elements. For example, Bernd Leukert, head of products and innovation at SAP, told the Financial Times back in January that he felt that the penalties were too high, especially for a single violation, adding that multiple instances could wipe out certain firm’s revenues completely.
Of the User Group findings, Simon Niesler, Chief Operating Officer, SAP UK & Ireland comments:
We appreciate customer concerns about the implications of GDPR. The more bureaucracy and complexity you have in your business segment, the harder it is to grow quickly, and speed is what matters today.
This is why we want to work closely with our customers to ensure they have the right technology infrastructure in place that meets both local and global legislative needs. There may be local regulations, but we need these issues solved on a global basis, and SAP is working with the international community on behalf of its customers and partners to do so.
But the UK User Group says tha 70% of its members are struggling with SAP access control as a mechanism to ensure compliance is in place. Some 73% find it a challenge to balance workforce productivity and flexibility against ensuring their SAP landscape is secure and compliant.
Just under half of users (47%) said they use SAP GRC [Governance Risk and Compliance] for governance. Those who don’t cite cost and complexity as among the reasons for not doing so. Froom says:
Many organisations are in a catch-22 situation when it comes to balancing workforce productivity and flexibility against security and compliance. Considering the business-critical nature of SAP it is understandable that access control is an ongoing challenge.
My take
We're going to see a lot more of this over the next 11 months. There's really nothing that can be done other than to knuckle down and get to grips with this. It's possible that post-Brexit that there might be a different UK data protection regime, but in the first instance GDPR applies to organisations in the UK. Ignorance of the law is no excuse. Tick tock, tick tock.