GDPR: More Than Data Management, It’s About Governance

Neil Patrick

As you know, the General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is the revision to the European Union (EU) data protection law that becomes enforceable on May, 25 2018. Lately, I’ve been noticing that several software solutions and presentations focus on the data management aspects of GDPR—the “consent, deleting, blocking, retention” spectrum of GDPR compliance. Of course, this is necessary, and a good starting point.

However, the challenge posed to companies by GDPR is more about the organisational and procedural changes that will be necessary to demonstrate that a company is taking seriously the need to protect personal data as a business-as-usual regime through all echelons of stakeholders, operations, technology, and partnerships.

GDPR: It’s complicated

The figure below indicates why this is necessary. It shows the complexity of GDPR by linking interrelationships between the 99 articles in the regulation.

Almost half of the articles in GDPR are related to business procedures associated with policies, record-keeping, and accountabilities of roles and entities in order to demonstrate that a company’s approach to handling personal data is taken as seriously as the regulation requires.

Processing shall be lawful only if the data subject has given consent to processing of personal data (or one of the other five reasons) for a specific purpose, and each purpose must be distinct. Each data-processing activity must connect to a purpose that has a finite business scope, specific lawful reasons for conducting it, and a finite lifetime.

The fact that so many of the articles reference each other indicates the need for robust, enterprise-ready, holistic policy and process compliance software to address this plate of regulatory spaghetti. The governance is a challenge.

Why GDPR is a bit like wiretapping

Let me use wiretapping as a topical analogy to separate the technical from the  governance aspects.

Conducting modern wiretapping is a technical task requiring modern technology, leading-edge software, and smart and experienced people. This is the equivalent of the data-play conversation in GDPR: how to tag data, delete data, block access to it, archive it with legal retention periods, and so on.

However, the parallel activity—and many would argue a more important aspect—is the actual governance of wiretapping. This governance includes whether a wiretapping should take place, who approves it, what is the duration and scope, and what levels of intrusion are acceptable. This is the equivalent of the governance of GDPR, or the meat that the supervising authorities will want to pick over as evidence of compliance.

The controller’s responsibilities

GDPR Article 5 Chapter 2 requires that “the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

I was talking to someone recently who picked out Article 30 as a troublesome area. To help me understand it, I created a mind-map diagram that spells out in detail the record-keeping requirements of processors and controllers.

Data processors now have direct obligations, like controllers. They must maintain a written record of the processing categories carried out on behalf of each controller, and notify each controller as they become aware of a data breach without undue delay.

Controllers must maintain a written record of processing activities.

So as in the wiretapping analogy, it’s not enough to be able to technically achieve the requirement. Tight governance must be maintained on how the task is managed.

Compliance must be done, and be seen as done

The governance complexity becomes an almost exponential equation:

  • Multiply these duties by number of purposes (with dates when they expire), business activities, and new initiatives
  • Factor in business units engaged in all or parts of these activities
  • Add software systems that deliver the content and analysis
  • And finally, consider categories of data subjects, categories of processing, post-processing retention requirements, subprocessors, and relevant contact people.

Companies need to document all of these and be able to show  evidence to the regulator. In other words, the governance expectations of data controllers and data processors is significant. And this is really why companies have been given two years to implement GDPR—because to demonstrate compliance with the regulation (and avoid the eye-watering fines), an organisation must show ongoing and systematic accountability, good governance, and sustainable procedures to the regulator.

Learn more

Follow this link for more information on control monitoring and risk management.

This article, GRC Tuesdays: GDPR Is about More Than Data Management, It’s about Governance, originally appeared on the SAP BusinessObjects Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)|LinkedIn|Facebook|YouTube

Comments

Neil Patrick

About Neil Patrick

Dr. Neil Patrick is a Director of SAP Centre of Excellence for GRC & Security covering EMEA. He has over 12 years’ experience in Governance, Risk Management and Compliance (GRC) & Security fields. During this time he has been a managing consultant, run professional services delivery teams in the UK and USA, conducted customer business requirements sessions around the world, and sales and business development initiatives. Neil has presented core GRC and Security thought leadership sessions in strategic customer-facing engagements, conferences and briefing sessions.

How Technology Can Help Modernize Your Account Reconciliations

Zach Deming

In my last two blogs, we’ve looked at the importance of accurate account reconciliations, best practices, and why training is key. In this blog, we’ll wrap up how to modernize your account reconciliations by tackling the biggest hurdle of all: change. Once you’ve overcome any resistance to change and adopt technology, then you can start seeing the fruits of your labor.

Companies cannot afford to stay blind to reality and continue to avoid identifying and addressing the risks of the unknown. That’s like avoiding the doctor for fear of what you’ll find out. You can put off looking into what’s going on within your accounting operations. But that won’t make the problems go away. And if something does go wrong—and you have a material weakness or need to restate earnings before you’ve had a chance to investigate, you could have very serious problems.

Scary, I know. But it isn’t just doom and gloom and avoiding risk. There are tangible benefits to moving away from manual reconciliations and adopting technology to help you get the job done right.

Risk is scary, but there’s cause for optimism

Today’s technology can automate the account reconciliation process, enhancing the benefits of process optimization while increasing the accounting team’s overall productivity. It can help you increase compliance and eliminate the risk of error from using spreadsheets, providing:

  • Automated workflow
  • Real-time dashboard reporting
  • Reconciliation templates that provide consistency as well as automated schedules
  • Audit trails, as well as prior period history
  • Auto certification of low-risk, routine account reconciliations

You can gain instant insight across the finance organization, with a personalized and simple user experience, with a central repository for all reconciliation and supporting documentation, allowing global secure access anytime from anywhere.

Real-time data to support decision-making

With your account and supporting-item information in one place, you can have access to real-time data to inform your business decisions. You can run reports to see the aging of your reconciling items, and easily identify errors and the impact they could have on your financial statements.

Accountants can be rid of manual drudgery and automate repetitive tasks, leaving them more time for analysis. Finance teams can more gets done in less time, even as the company scales, without increasing headcount. And CEOs can access real-time financial information without waiting for the completion of every closing task.

Embracing the concepts of continuous accounting and applying technology empowers pioneering accountants and finance teams alike to improve the quality of their work while, perhaps most importantly, removing the risk of the unknown. As a result, companies can better analyze what’s affecting the numbers, and always know where they stand. In short, knowledge identifies and eliminates risk.

In the next blog, we’ll wrap up the Continuous Accounting Series with an overview of the series.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube

Comments

Zach Deming

About Zach Deming

Zach Deming is the director of Product Marketing at BlackLine. Zach partners with accounting and finance leaders to help them realize how their spreadsheet-driven processes hiding in the shadows simply can’t cope with the demands of always-on modern business, and the expectation of real-time analysis. After a decade in the industry, he thinks the benefits of cloud software can free accountants from the chains of transactions, liberating them to focus on strategy and analysis. Zach is skeptical of the robot uprising, and as a champion of Continuous Accounting, he believes the future of accounting does not lie in new technology alone, but also with the nuanced intelligence of skilled accountants. Connect with Zach on LinkedIn and Twitter (@ZachDeming).

The Genesis Of Poor Planning Decisions

Pras Chatterjee

Part 11 in the Dynamic Planning Series

A question I get all the time when working with FP&A professionals around the world is, “Should we plan annually?” As a simple person, I have a simple answer: “No.” We live in a fast-changing world, and that pace of change is only going to increase. I have yet to meet anyone in business who believes that the rate and magnitude of change is going to decrease. At the same time, we need to be able to set realistic goals and targets for our organizations. These two forces can be at odds with each other. How can organizations plan effectively when their environment is constantly changing?

One of the problems with annual planning is that it’s often the genesis of poor decisions. Most organizations dedicate a significant portion of their fiscal fourth quarter to determining where they want to be at year’s end and how they are going to get there. The great flaw in this strategy is that it inherently discourages investments in time, money, and resources that have a payout greater than the next 12 months.

Short-term thinking at the expense of long-term goals

With this artificial constraint, organizations will shy away from activities that aren’t focused on “hitting the number” or that don’t help achieve it. Even when the business cycle of the organization is longer than one year, decisions can be made that aren’t in its best longer-term interest, just to satisfy the short-term result and return structure. It is simply human nature to behave in such a manner, and is often a consequence of compensation plans that reward short-term targets at the expense of long-term goals.

Another challenge with planning on an annual basis is that organizations often fail to anticipate disaster. Since you are managing to an artificial end date, the longer into the cycle you go, the less time you leave yourself to maneuver when change occurs (and it will occur). That’s pushing all the risk to the latter part of the year and hoping nothing goes wrong. The real conundrum here is that if you are wrong about anything in the annual plan, it’s probably too late to fix it – or fix it inexpensively. You can make adjustments, but at an unnecessarily high cost.

Missed opportunities to identify business drivers

Another weakness of the annual planning process (APP) is that it can make it harder for an organization to identify cause and effect. Again, given that many of the activities have return periods of greater than 12 months, organizations weaken the link between smart business activities and achieving long-term goals. By focusing on activities that will have payouts within the year, it makes it more difficult to understand the true drivers of the organization.

And an APP can weaken the value of your benchmarks. By definition, you need to finish the year first to understand performance against any past benchmarks. This approach makes it harder to understand how you are performing against your competitors in the first quarter, or whether the second and third quarters look the way you expect. End-of-year becomes your single data point.

This is truly the opposite of dynamic planning. When you limit the opportunity to understand what’s happening in the moment, you limit the opportunity to react to a changing environment – and that can be the genesis of poor decisions that put you at a strategic disadvantage.

I hope you will be able to join us to discuss forecasting, planning, and budgeting at one of the many upcoming FP&A events SAP will be hosting over the next several months, including the Financial Excellence Forum in New York City next week, Financials 2018 in Las Vegas in February 2018, and Centric Financials in Dallas/Ft. Worth in March 2018.

For more information about dynamic planning, click here.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube

Comments

Pras Chatterjee

About Pras Chatterjee

Pras Chatterjee is a senior director of Product Marketing for Enterprise Performance Management at SAP, specializing in planning solutions. Prior to joining Product Marketing, Pras was a practice manager for SAP Business Analytics Services in North America as a leader in the EPM practice. He has also served as a solution architect for SAP Business Planning and Consolidation version for the Microsoft platform and SAP NetWeaver, focusing on planning and consolidations around the globe. Pras is a Chartered Professional Accountant and has worked with various software firms in the EPM space, and has had a career in finance with various Fortune 500 organizations.

Diving Deep Into Digital Experiences

Kai Goerlich

 

Google Cardboard VR goggles cost US$8
By 2019, immersive solutions
will be adopted in 20% of enterprise businesses
By 2025, the market for immersive hardware and software technology could be $182 billion
In 2017, Lowe’s launched
Holoroom How To VR DIY clinics

Link to Sources


From Dipping a Toe to Fully Immersed

The first wave of virtual reality (VR) and augmented reality (AR) is here,

using smartphones, glasses, and goggles to place us in the middle of 360-degree digital environments or overlay digital artifacts on the physical world. Prototypes, pilot projects, and first movers have already emerged:

  • Guiding warehouse pickers, cargo loaders, and truck drivers with AR
  • Overlaying constantly updated blueprints, measurements, and other construction data on building sites in real time with AR
  • Building 3D machine prototypes in VR for virtual testing and maintenance planning
  • Exhibiting new appliances and fixtures in a VR mockup of the customer’s home
  • Teaching medicine with AR tools that overlay diagnostics and instructions on patients’ bodies

A Vast Sea of Possibilities

Immersive technologies leapt forward in spring 2017 with the introduction of three new products:

  • Nvidia’s Project Holodeck, which generates shared photorealistic VR environments
  • A cloud-based platform for industrial AR from Lenovo New Vision AR and Wikitude
  • A workspace and headset from Meta that lets users use their hands to interact with AR artifacts

The Truly Digital Workplace

New immersive experiences won’t simply be new tools for existing tasks. They promise to create entirely new ways of working.

VR avatars that look and sound like their owners will soon be able to meet in realistic virtual meeting spaces without requiring users to leave their desks or even their homes. With enough computing power and a smart-enough AI, we could soon let VR avatars act as our proxies while we’re doing other things—and (theoretically) do it well enough that no one can tell the difference.

We’ll need a way to signal when an avatar is being human driven in real time, when it’s on autopilot, and when it’s owned by a bot.


What Is Immersion?

A completely immersive experience that’s indistinguishable from real life is impossible given the current constraints on power, throughput, and battery life.

To make current digital experiences more convincing, we’ll need interactive sensors in objects and materials, more powerful infrastructure to create realistic images, and smarter interfaces to interpret and interact with data.

When everything around us is intelligent and interactive, every environment could have an AR overlay or VR presence, with use cases ranging from gaming to firefighting.

We could see a backlash touting the superiority of the unmediated physical world—but multisensory immersive experiences that we can navigate in 360-degree space will change what we consider “real.”


Download the executive brief Diving Deep Into Digital Experiences.


Read the full article Swimming in the Immersive Digital Experience.

Comments

Kai Goerlich

About Kai Goerlich

Kai Goerlich is the Chief Futurist at SAP Innovation Center network His specialties include Competitive Intelligence, Market Intelligence, Corporate Foresight, Trends, Futuring and ideation. Share your thoughts with Kai on Twitter @KaiGoe.heif Futu

Tags:

Blockchain: Much Ado About Nothing? How Very Wrong!

Juergen Roehricht

Let me start with a quote from McKinsey, that in my view hits the nail right on the head:

“No matter what the context, there’s a strong possibility that blockchain will affect your business. The very big question is when.”

Now, in the industries that I cover in my role as general manager and innovation lead for travel and transportation/cargo, engineering, construction and operations, professional services, and media, I engage with many different digital leaders on a regular basis. We are having visionary conversations about the impact of digital technologies and digital transformation on business models and business processes and the way companies address them. Many topics are at different stages of the hype cycle, but the one that definitely stands out is blockchain as a new enabling technology in the enterprise space.

Just a few weeks ago, a customer said to me: “My board is all about blockchain, but I don’t get what the excitement is about – isn’t this just about Bitcoin and a cryptocurrency?”

I can totally understand his confusion. I’ve been talking to many blockchain experts who know that it will have a big impact on many industries and the related business communities. But even they are uncertain about the where, how, and when, and about the strategy on how to deal with it. The reason is that we often look at it from a technology point of view. This is a common mistake, as the starting point should be the business problem and the business issue or process that you want to solve or create.

In my many interactions with Torsten Zube, vice president and blockchain lead at the SAP Innovation Center Network (ICN) in Potsdam, Germany, he has made it very clear that it’s mandatory to “start by identifying the real business problem and then … figure out how blockchain can add value.” This is the right approach.

What we really need to do is provide guidance for our customers to enable them to bring this into the context of their business in order to understand and define valuable use cases for blockchain. We need to use design thinking or other creative strategies to identify the relevant fields for a particular company. We must work with our customers and review their processes and business models to determine which key blockchain aspects, such as provenance and trust, are crucial elements in their industry. This way, we can identify use cases in which blockchain will benefit their business and make their company more successful.

My highly regarded colleague Ulrich Scholl, who is responsible for externalizing the latest industry innovations, especially blockchain, in our SAP Industries organization, recently said: “These kinds of use cases are often not evident, as blockchain capabilities sometimes provide minor but crucial elements when used in combination with other enabling technologies such as IoT and machine learning.” In one recent and very interesting customer case from the autonomous province of South Tyrol, Italy, blockchain was one of various cloud platform services required to make this scenario happen.

How to identify “blockchainable” processes and business topics (value drivers)

To understand the true value and impact of blockchain, we need to keep in mind that a verified transaction can involve any kind of digital asset such as cryptocurrency, contracts, and records (for instance, assets can be tangible equipment or digital media). While blockchain can be used for many different scenarios, some don’t need blockchain technology because they could be handled by a simple ledger, managed and owned by the company, or have such a large volume of data that a distributed ledger cannot support it. Blockchain would not the right solution for these scenarios.

Here are some common factors that can help identify potential blockchain use cases:

  • Multiparty collaboration: Are many different parties, and not just one, involved in the process or scenario, but one party dominates everything? For example, a company with many parties in the ecosystem that are all connected to it but not in a network or more decentralized structure.
  • Process optimization: Will blockchain massively improve a process that today is performed manually, involves multiple parties, needs to be digitized, and is very cumbersome to manage or be part of?
  • Transparency and auditability: Is it important to offer each party transparency (e.g., on the origin, delivery, geolocation, and hand-overs) and auditable steps? (e.g., How can I be sure that the wine in my bottle really is from Bordeaux?)
  • Risk and fraud minimization: Does it help (or is there a need) to minimize risk and fraud for each party, or at least for most of them in the chain? (e.g., A company might want to know if its goods have suffered any shocks in transit or whether the predefined route was not followed.)

Connecting blockchain with the Internet of Things

This is where blockchain’s value can be increased and automated. Just think about a blockchain that is not just maintained or simply added by a human, but automatically acquires different signals from sensors, such as geolocation, temperature, shock, usage hours, alerts, etc. One that knows when a payment or any kind of money transfer has been made, a delivery has been received or arrived at its destination, or a digital asset has been downloaded from the Internet. The relevant automated actions or signals are then recorded in the distributed ledger/blockchain.

Of course, given the massive amount of data that is created by those sensors, automated signals, and data streams, it is imperative that only the very few pieces of data coming from a signal that are relevant for a specific business process or transaction be stored in a blockchain. By recording non-relevant data in a blockchain, we would soon hit data size and performance issues.

Ideas to ignite thinking in specific industries

  • The digital, “blockchained” physical asset (asset lifecycle management): No matter whether you build, use, or maintain an asset, such as a machine, a piece of equipment, a turbine, or a whole aircraft, a blockchain transaction (genesis block) can be created when the asset is created. The blockchain will contain all the contracts and information for the asset as a whole and its parts. In this scenario, an entry is made in the blockchain every time an asset is: sold; maintained by the producer or owner’s maintenance team; audited by a third-party auditor; has malfunctioning parts; sends or receives information from sensors; meets specific thresholds; has spare parts built in; requires a change to the purpose or the capability of the assets due to age or usage duration; receives (or doesn’t receive) payments; etc.
  • The delivery chain, bill of lading: In today’s world, shipping freight from A to B involves lots of manual steps. For example, a carrier receives a booking from a shipper or forwarder, confirms it, and, before the document cut-off time, receives the shipping instructions describing the content and how the master bill of lading should be created. The carrier creates the original bill of lading and hands it over to the ordering party (the current owner of the cargo). Today, that original paper-based bill of lading is required for the freight (the container) to be picked up at the destination (the port of discharge). Imagine if we could do this as a blockchain transaction and by forwarding a PDF by email. There would be one transaction at the beginning, when the shipping carrier creates the bill of lading. Then there would be look-ups, e.g., by the import and release processing clerk of the shipper at the port of discharge and the new owner of the cargo at the destination. Then another transaction could document that the container had been handed over.

The future

I personally believe in the massive transformative power of blockchain, even though we are just at the very beginning. This transformation will be achieved by looking at larger networks with many participants that all have a nearly equal part in a process. Today, many blockchain ideas still have a more centralistic approach, in which one company has a more prominent role than the (many) others and often is “managing” this blockchain/distributed ledger-supported process/approach.

But think about the delivery scenario today, where goods are shipped from one door or company to another door or company, across many parties in the delivery chain: from the shipper/producer via the third-party logistics service provider and/or freight forwarder; to the companies doing the actual transport, like vessels, trucks, aircraft, trains, cars, ferries, and so on; to the final destination/receiver. And all of this happens across many countries, many borders, many handovers, customs, etc., and involves a lot of paperwork, across all constituents.

“Blockchaining” this will be truly transformational. But it will need all constituents in the process or network to participate, even if they have different interests, and to agree on basic principles and an approach.

As Torsten Zube put it, I am not a “blockchain extremist” nor a denier that believes this is just a hype, but a realist open to embracing a new technology in order to change our processes for our collective benefit.

Turn insight into action, make better decisions, and transform your business. Learn how.

Comments

Juergen Roehricht

About Juergen Roehricht

Juergen Roehricht is General Manager of Services Industries and Innovation Lead of the Middle and Eastern Europe region for SAP. The industries he covers include travel and transportation; professional services; media; and engineering, construction and operations. Besides managing the business in those segments, Juergen is focused on supporting innovation and digital transformation strategies of SAP customers. With more than 20 years of experience in IT, he stays up to date on the leading edge of innovation, pioneering and bringing new technologies to market and providing thought leadership. He has published several articles and books, including Collaborative Business and The Multi-Channel Company.