Sections

GDPR: More Than Data Management, It’s About Governance

Neil Patrick

As you know, the General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is the revision to the European Union (EU) data protection law that becomes enforceable on May, 25 2018. Lately, I’ve been noticing that several software solutions and presentations focus on the data management aspects of GDPR—the “consent, deleting, blocking, retention” spectrum of GDPR compliance. Of course, this is necessary, and a good starting point.

However, the challenge posed to companies by GDPR is more about the organisational and procedural changes that will be necessary to demonstrate that a company is taking seriously the need to protect personal data as a business-as-usual regime through all echelons of stakeholders, operations, technology, and partnerships.

GDPR: It’s complicated

The figure below indicates why this is necessary. It shows the complexity of GDPR by linking interrelationships between the 99 articles in the regulation.

Almost half of the articles in GDPR are related to business procedures associated with policies, record-keeping, and accountabilities of roles and entities in order to demonstrate that a company’s approach to handling personal data is taken as seriously as the regulation requires.

Processing shall be lawful only if the data subject has given consent to processing of personal data (or one of the other five reasons) for a specific purpose, and each purpose must be distinct. Each data-processing activity must connect to a purpose that has a finite business scope, specific lawful reasons for conducting it, and a finite lifetime.

The fact that so many of the articles reference each other indicates the need for robust, enterprise-ready, holistic policy and process compliance software to address this plate of regulatory spaghetti. The governance is a challenge.

Why GDPR is a bit like wiretapping

Let me use wiretapping as a topical analogy to separate the technical from the  governance aspects.

Conducting modern wiretapping is a technical task requiring modern technology, leading-edge software, and smart and experienced people. This is the equivalent of the data-play conversation in GDPR: how to tag data, delete data, block access to it, archive it with legal retention periods, and so on.

However, the parallel activity—and many would argue a more important aspect—is the actual governance of wiretapping. This governance includes whether a wiretapping should take place, who approves it, what is the duration and scope, and what levels of intrusion are acceptable. This is the equivalent of the governance of GDPR, or the meat that the supervising authorities will want to pick over as evidence of compliance.

The controller’s responsibilities

GDPR Article 5 Chapter 2 requires that “the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

I was talking to someone recently who picked out Article 30 as a troublesome area. To help me understand it, I created a mind-map diagram that spells out in detail the record-keeping requirements of processors and controllers.

Data processors now have direct obligations, like controllers. They must maintain a written record of the processing categories carried out on behalf of each controller, and notify each controller as they become aware of a data breach without undue delay.

Controllers must maintain a written record of processing activities.

So as in the wiretapping analogy, it’s not enough to be able to technically achieve the requirement. Tight governance must be maintained on how the task is managed.

Compliance must be done, and be seen as done

The governance complexity becomes an almost exponential equation:

  • Multiply these duties by number of purposes (with dates when they expire), business activities, and new initiatives
  • Factor in business units engaged in all or parts of these activities
  • Add software systems that deliver the content and analysis
  • And finally, consider categories of data subjects, categories of processing, post-processing retention requirements, subprocessors, and relevant contact people.

Companies need to document all of these and be able to show  evidence to the regulator. In other words, the governance expectations of data controllers and data processors is significant. And this is really why companies have been given two years to implement GDPR—because to demonstrate compliance with the regulation (and avoid the eye-watering fines), an organisation must show ongoing and systematic accountability, good governance, and sustainable procedures to the regulator.

Learn more

Follow this link for more information on control monitoring and risk management.

This article, GRC Tuesdays: GDPR Is about More Than Data Management, It’s about Governance, originally appeared on the SAP BusinessObjects Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)|LinkedIn|Facebook|YouTube

Comments

Neil Patrick

About Neil Patrick

Dr. Neil Patrick is a Director of SAP Centre of Excellence for GRC & Security covering EMEA. He has over 12 years’ experience in Governance, Risk Management and Compliance (GRC) & Security fields. During this time he has been a managing consultant, run professional services delivery teams in the UK and USA, conducted customer business requirements sessions around the world, and sales and business development initiatives. Neil has presented core GRC and Security thought leadership sessions in strategic customer-facing engagements, conferences and briefing sessions.

Why You Should Bring Diversity Into Procurement, Where It Belongs

Susan Galer

Many companies agree that diversity is a good thing, but connecting buyers with minority-owned suppliers has long been a challenge. Rod Robinson, CEO of ConnXus, founded his company out of his growing frustration as a government procurement officer and small business owner.

Speaking during an expert roundtable at the recent SAP Ariba Live 2017 event, Robinson explained why partnering with SAP Ariba supports both companies’ shared purpose-driven mission.

“I created ConnXus after realizing how inefficient and under-invested the market was,” he said. “Bringing technology to bear on the problem to shine a light on the data was the first step. Being able to attract a partner like SAP Ariba is the second. I knew we’d begin as a direct channel to customer, but to truly change the world for greater efficiencies and effectiveness, you have to partner with world’s largest business network.”

The partnership aims to help companies improve supplier diversity whether it’s because of direct or unconscious bias, or lack of awareness of their existence. Jon Stevens, global senior vice president of Business Networks at SAP Ariba, said that companies want diversity not only in their workforce, but also across suppliers for speedy innovation.

“Small, diverse companies are nimble and very responsive. Having a diverse supply chain allows you to react quickly,” he said. “The other major benefit is having diverse opinions and points of view, which lead to greater innovation at a faster pace. One of the challenges our customers have is awareness of diverse suppliers. Our partnership connects the largest business network to the largest diverse network.”

Unlike past diversity solutions, which often reported to human resources, Robinson said integrating it with procurement produces stronger results. “We’re focused on bringing diversity into procurement where it should be,” he said. “What differentiates ConnXus is that we’re staying true to our expertise.”

Process innovation is just as important

Robinson shared examples of how companies are using the network to innovate faster by developing both new products as well as “new ways to approach old problems.” One supplier responded to an RFP opportunity with an idea for changing the buyer’s product specifications that would significantly reduce costs. Stevens discussed the collaboration network in the context of post-apartheid empowerment programs in South Africa. He cited how two sisters operating a cleaning service used the network to develop new offerings by working with a broader set of customers.

Diversity that makes a difference

As companies expand, many want to track diversity spend for preferential procurement programs or meet geographically specific objectives. Robinson said ConnXus is supporting these demands, along with others including “matchmaking” within a company’s larger supplier base, as well as a subscription-based model for small and midsize business. One new offering provides impact results to buyers reporting on outcomes like jobs and wage rates.

IDC research predicts that by the end of 2018, 90% of manufacturing supply chains will use B2B commerce networks as the primary collaboration tool for demand, supply, service, and new product development. That’s just one sector. Cloud-based B2B networks like are the innovation growth engines for the new economy.

Follow me: @smgaler

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | Facebook | YouTube

Comments

Machine Learning: What’s In It For Finance?

SAP News Center

Automating standard processes has long been the top priority for finance departments. Now, things are moving to the next level: Thanks to machine learning, intelligent software can now handle tasks that it has never been able to perform before.

Most enterprises deploy software that posts payment transactions automatically and ensures that compliance rules are met. Which means that finance personnel are only called on to intervene manually when exceptions occur – such as customers omitting key payment data, making a typing error, or paying multiple invoices in a single transaction.

“This is precisely where machine learning comes in,” says Robin Bau, director of Shared Service Automation at SAP. “The new technology can now be deployed in any scenario where additional knowledge is required.”

Machine learning-enabled software learns in a similar way to humans, that is, chiefly through experience, observation, and historic data. It uses self-learning algorithms to spot patterns; it recognizes contexts, and it makes predictions. And while the concept of artificial intelligence is by no means new, it’s only now that computers have become powerful enough to analyze sufficient volumes of data and to allow data scientists to develop corresponding models from it.

Using machine learning to identify universal processes

Of course, theoretically, you could create a set of rules for every conceivable error by hand. But self-learning software saves you the trouble. “The technology runs in the background and ‘observes’ human actions. When an employee in finance allocates a consolidated payment to multiple invoices, the software remembers the action and performs it autonomously the next time around – without being explicitly programmed to do so,” explains Bau.

After a brief “familiarization” phase, the software understands comparatively simple, universal processes. It is also quick to learn company-specific compliance procedures: “Each company has its own rules and business scenarios. All the software needs is access to historic in order to be able to respond correctly,” says Bau.

Built-in AI for SAP solutions

In the medium term, SAP plans to build artificial intelligence into its entire software suite and all of its cloud solutions. One key objective is to ease the workload of shared service organizations.

“Many of the inquiries processed by shared service centers are fairly similar: When was my invoice paid? Why did I receive a reminder? Answering them is a very time-consuming process. [Software] identifies the correct processor when a ticket arrives and can often answer questions itself,” says Bau.

Going forward, artificial intelligence will be used for strategic matters, to provide accurate forecasts, and thus to support a company’s growth.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube

Comments

The Future of Cybersecurity: Trust as Competitive Advantage

Justin Somaini and Dan Wellers

 

The cost of data breaches will reach US$2.1 trillion globally by 2019—nearly four times the cost in 2015.

Cyberattacks could cost up to $90 trillion in net global economic benefits by 2030 if cybersecurity doesn’t keep pace with growing threat levels.

Cyber insurance premiums could increase tenfold to $20 billion annually by 2025.

Cyberattacks are one of the top 10 global risks of highest concern for the next decade.


Companies are collaborating with a wider network of partners, embracing distributed systems, and meeting new demands for 24/7 operations.

But the bad guys are sharing intelligence, harnessing emerging technologies, and working round the clock as well—and companies are giving them plenty of weaknesses to exploit.

  • 33% of companies today are prepared to prevent a worst-case attack.
  • 25% treat cyber risk as a significant corporate risk.
  • 80% fail to assess their customers and suppliers for cyber risk.

The ROI of Zero Trust

Perimeter security will not be enough. As interconnectivity increases so will the adoption of zero-trust networks, which place controls around data assets and increases visibility into how they are used across the digital ecosystem.


A Layered Approach

Companies that embrace trust as a competitive advantage will build robust security on three core tenets:

  • Prevention: Evolving defensive strategies from security policies and educational approaches to access controls
  • Detection: Deploying effective systems for the timely detection and notification of intrusions
  • Reaction: Implementing incident response plans similar to those for other disaster recovery scenarios

They’ll build security into their digital ecosystems at three levels:

  1. Secure products. Security in all applications to protect data and transactions
  2. Secure operations. Hardened systems, patch management, security monitoring, end-to-end incident handling, and a comprehensive cloud-operations security framework
  3. Secure companies. A security-aware workforce, end-to-end physical security, and a thorough business continuity framework

Against Digital Armageddon

Experts warn that the worst-case scenario is a state of perpetual cybercrime and cyber warfare, vulnerable critical infrastructure, and trillions of dollars in losses. A collaborative approach will be critical to combatting this persistent global threat with implications not just for corporate and personal data but also strategy, supply chains, products, and physical operations.


Download the executive brief The Future of Cybersecurity: Trust as Competitive Advantage.


Comments

Tags:

Unleash The Digital Transformation

Kadamb Goswami

The world has changed. We’ve seen massive disruption on multiple fronts – business model disruption, cybercrime, new devices, and an app-centric world. Powerful networks are crucial to success in a mobile-first, cloud-first world that’s putting an ever-increasing increasing amount of data at our fingertips. With the Internet of Things (IoT) we can connect instrumented devices worldwide and use new data to transform business models and products.

Disruption

Disruption comes in many forms. It’s not big or scary, it’s just another way of describing change and evolution. In the ’80s it manifested as call centers. Then, as the digital landscape began to take shape, it was the Internet, cloud computing … now it’s artificial intelligence (AI).

Digital transformation

Digital transformation means different things to different companies, but in the end I believe it will be a simple salvation that will carry us forward. If you Bing (note I worked for Microsoft for 15 years before experiencing digital transformation from the lens of the outside world), digital transformation, it says it’s “the profound and accelerating transformation of business activities, processes, competencies, and models to fully leverage the changes and opportunities of digital technologies and their impact across society in a strategic and prioritized way.” (I’ll simplify that; keep reading.)

A lot of today’s digital transformation ideas are ripped straight from the scripts of sci-fi entertainment, whether you’re talking about the robotic assistants of 2001: A Space Odyssey or artificial intelligence in the Star Trek series. We’re forecasting our future with our imagination. So, let’s move on to why digital transformation is needed in our current world.

Business challenges

The basic challenges facing businesses today are the same as they’ve always been: engaging customers, empowering employees, optimizing operations, and reinventing the value offered to customers. However, what has changed is the unique convergence of three things:

  1. Increasing volumes of data, particularly driven by the digitization of “things” and heightened individual mobility and collaboration
  1. Advancements in data analytics and intelligence to draw actionable insight from the data
  1. Ubiquity of cloud computing, which puts this disruptive power in the hands of organizations of all sizes, increasing the pace of innovation and competition

Digital transformation in plain English

Hernan Marino, senior vice president, marketing, & global chief operating officer at SAP, explains digital transformation by giving specific industry examples to make it simpler.

Automobile manufacturing used to be the work of assembly lines, people working side-by-side literally piecing together, painting, and churning out vehicles. It transitioned to automation, reducing costs and marginalizing human error. That was a business transformation. Now, we are seeing companies like Tesla and BMW incorporate technology into their vehicles that essentially make them computers on wheels. Cameras. Sensors. GPS. Self-driving vehicles. Syncing your smartphone with your car.

The point here is that companies need to make the upfront investments in infrastructure to take advantage of digital transformation, and that upfront investment will pay dividends in the long run as technological innovations abound. It is our job to collaboratively work with our customers to understand what infrastructure changes need to be made to achieve and take advantage of digital transformation.

Harman gives electric companies as another example. Remember a few years ago, when you used to go outside your house and see the little power meter spinning as it recorded the kilowatts you use? Every month, the meter reader would show up in your yard, record your usage, and report back to the electric company.

Most electric companies then made a business transformation and installed smart meters – eliminating the cost of the meter reader and integrating most homes into a smart grid that gave customers access to their real-time information. Now, as renewable energy evolves and integrates more fully into our lives, these same electric companies that switched over to smart meters are going to make additional investments to be able to analyze the data and make more informed decisions that will benefit both the company and its customers.

That is digital transformation. Obviously, banks, healthcare, entertainment, trucking, and e-commerce all have different needs than auto manufacturers and electric companies. It is up to us – marketers and account managers promoting digital transformation – to identify those needs and help our clients make the digital transformation as seamlessly as possible.

Digital transformation is more than just a fancy buzzword, it is our present and our future. It is re-envisioning existing business models and embracing a different way of bringing together people, data, and processes to create more for their customers through systems of intelligence.

Learn more about what it means to be a digital business.

Comments

Goswami Kadamb

About Goswami Kadamb

Kadamb is a Senior Program Manager at SAP where he is responsible for developing and executing strategic sales program with Concur SaaS portfolio. Prior to that he led several initiatives with Microsoft's Cloud & Enterprise business to enable Solution Sales & IaaS offerings.