A Whimsical Look At GDPR

Jan Gardiner

I’ll admit it—I was planning to write something terribly useful about the European Union General Data Protection Regulation (GDPR) that has everyone talking (and worrying). Then I realized that while I’ve been off to GRC 2017 in Amsterdam, several blogs had been added to our GRC Tuesdays site. So if you are looking for a more learned and useful discussion of GDPR, please check out the list at the bottom of this blog. For that matter, just type “GDPR” in Google, although there should be a health warning about the volume of material overloading your brain.

However, since I have been working with GDPR topics lately and I really wanted to write a blog about it, I’ll share a couple of my observations, questions, and musings.

Fundamental rights

On the very first page of the regulation, it boldly states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” It goes so far as to state: “The processing of personal data should be designed to serve mankind.” (Emphasis mine)

In the current U.S. political climate (depending upon age, political leanings, and socio-economic status), some will assert as fundamental rights everything from carrying AK-47s to getting free money. But let’s not open that can of worms. My point is that I don’t hear of demonstrations in the streets about the protection of personal data as a fundamental right.

Looking historically, the U.S. Declaration of Independence says, in part, “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”

There are, of course, discussions of privacy rights in various international declarations, treaties, and conventions, but most references are focused on what governments can or can’t do. Technology advances and proliferation have now made this a topic for our businesses as well. The designers of the GDPR (and the preceding Directive 95/46/EC) assert that this is necessary to ensure free flow of personal information.

It is unknown how well the regulation will be implemented, but just relative to the fundamental rights and desire to serve mankind, I can only offer a heartfelt “WOW!”

Do you read privacy notices?

Changing gears, it’s likely that most companies subject to GDPR will need to update their privacy notices and update the consent function for the data subjects (you and me) to allow the collection and use of our personal data. But I have a silly question: Do YOU ever read the privacy notices that exist now?  Do you still click the button that says you’ve read them? How often do you NOT click the accept button?

To me, it’s a little like reading every word on each loan document before getting your home mortgage. I know I need to sign them all or I won’t get the mortgage, so I take a quick look at the terms and then proceed to sign. And I’ll confess that I “power-click” on web pages for the same reason. If I want to buy something online and I cannot do so without accepting the privacy notices, the likelihood of my clicking OK approaches 100%.

So, I’m not saying privacy notices aren’t good to have, but ONLY if the company itself is bound by them and has internal governance, policies, procedures, systems, and actions in place to ensure that they represent what is actually happening within the company.

Revenge for Sarbanes-Oxley?

In some small way, could GDPR be revenge in the EU for the Sarbanes-Oxley Act of 2002 (SOX)? An interesting part of GDPR is that it applies to many countries that do not reside or even have offices in the EU. Yes, to the extent that your company gathers personal data from EU residents, you are also subject to the GDPR. If you intend to sell to data subjects in the EU (online or otherwise), you will also need to comply.

So is it revenge, in some small way (asked in jest)? Remember that SOX applies to companies outside the U.S. that are required to file reports with the SEC (mostly those registered on U.S. stock exchanges). Many non-U.S. companies, in fact, have de-listed their stock to avoid having to comply with SOX.

It’s like my loan document analogy in that I cannot imagine most non-EU companies doing significant business in the EU will walk away from the business just because of the law—but many EU companies DID de-list their stock from U.S. exchanges to avoid having compliance burdens and related costs. So how will non-EU companies respond to GDPR? Only time will tell.

New vocabulary

While I’m at it, let me touch on vocabulary and acronyms. As I read various GDPR-related documents, I noted that many of them felt the need to have a glossary of terms. So not only is the regulation itself LONG, but if you don’t first look at a glossary, it may be hard to fully understand it. Some terms are not hard to understand, like “data subjects” (people whose data we need to protect) and “personal data.”

But how easy is it to understand the difference between pseudonymization, anonymization, and minimization? Just try to say pseudonymization three times very fast—I have trouble saying it even once! And do we in the U.S. need to adopt British English spelling for pseudonymisation, especially post-Brexit? (By the way, for now the UK government has confirmed that the decision to leave the EU will not affect commencement of GDPR.)

I hope you enjoyed this tongue-in-cheek look at the General Data Protection Regulation. This is clearly a sweeping regulation that will have companies jumping through a lot of hoops to get ready by May 25, 2018. I will find it interesting to learn how ready companies are on Day 1.

Now I ask you, what do you find interesting or amusing about GDPR compliance?

Learn more

For more on this topic, please read these posts:

The Ayurvedic Approach to GDPR by Neil Patrick

Data Governance: More Than Data Management, It’s About Governance by Neil Patrick

Big Data Privacy Risks And The Role Of GDPR, Parts 1 and 2, by Evelyne Salie

This article, GRC Tuesdays: A Whimsical Look at GDPR, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Modernize Your Business, And Consequently Cover GDPR: Part 2

Neil Patrick

In my last blog, I discussed European Union (EU) General Data Protection Regulation (GDPR) readiness—more specifically, how examining your company’s corporate culture is the first place to start. But there are details I’d like to cover today to help you feel confident in your ability to meet the major parts of GDPR. Let’s take a closer look at master data management, access governance, cybersecurity, and the Internet of Things.

Other similar legislation

While we’re looking at the GDPR, it makes sense to consider other related regulations and legislation that companies are also going to have to deal with in similar timeframes. I am thinking of the following (although there are others):

  • NIS: Directive on security of networked information systems, which is more industry-specific, but also has data breach reporting requirements
  • ePrivacy: PECR reform, the “cookie directive” that may become a regulation and also has consent registration and privacy requirements
  • WP29: Article 29 Data Protection Working Party looking at privacy and transfer of data outside EU or preapproved countries, which is one of the compliance aspects of GDPR

Investment in organizational and technological change for GDPR will have complementary relevance to the above. Compensating controls will exist; investments can be consolidated.

Other frameworks

A lot of companies will have adopted compliance standards and frameworks like ISO27001, ISO3100, COBIT, three lines of defense. I am aware of the debates surrounding each of these (for example, whether or not there should be four lines of defense). But on the whole, they are systems that document approaches for sound business management and reporting. The point here is that adopting these standards and frameworks will again provide compensating controls that will assist with areas of GDPR compliance.

Master data management

A significant challenge with any business these days is the so-called “single view of the customer.” For example, there is:

  • A fundamental operational driver behind this (do I really know who my customers are and where precisely and completely I can get that data?)
  • An operating cost driver behind this (multiple instances of what is actually the same customer is a waste of IT resources and costs)
  • A regulatory driver behind this (like keeping personal data accurate and being able to confidently address data subject access requests)

Digitalization and digital transformation (or whatever you label it), is something of a fashionable phrase. But it’s clear that any company that does not reduce its IT and data management operating costs will never be as competitive and agile as one that does.

Master data management is either a precursor to, or a fundamental part of a digital transformation and data volume minimization. It also puts you in a more resilient position to safely accomplish the right to erasure for GDPR needs.

Access governance

The modern definition of an employee, supplier, and customer is considerably more amorphous than it ever was in the past. And it will become more so in the future. We have full-time and part-time contractors, the “gig economy,” business process outsourcing, suppliers that are competitors, joint ventures, co-option arrangements, customers who are employees, and partners that work for competitors (to name a few examples).

We need to give people managed access to systems and data for them to do their jobs on our behalf—ideally just the right amount. Their function and responsibility will change over the time they work for us, which will require changing what systems and data they have access to. We need to remove their access when they stop working for us. If they come back to work for/with us, we probably want to have recorded and reuse what their skills and competencies were in the past.

Managing this efficiently is challenging. Managing it inefficiently however, is a significant operational cost (like downtime when onboarding or changing roles), financial cost (fixing segregation of duties), and security risk to the business (leavers still having access to admin accounts).

Overlay this onto the master data governance and digital transformation roadmap, and the complexity is made more challenging.

However, addressing these are major “thruster rockets” for your business to become leaner, more agile, safer. It gives you a solid foundation to the operational and technical changes to address data breach and processing security breaches for GDPR. It could also reduce your dependence on encryption and pseudonymization.

Cybersecurity and IoT

Multipliers abound in this aspect: proliferation of end-point devices, exponential increases in data volumes, increase in the value of personal data, plus industrial espionage, and sophistication of cyber criminals. Identity theft is one of the fastest growing crimes in the world, and ransomware attacks are also growing.

And because we are all connected, and actively striving to become more interconnected, this truly is a global phenomenon.

The concept of zero-trust is replacing older paradigms for system security. There is growing realization that application-level security (as opposed to infrastructure-level security) is under-represented, under-resourced, sometimes dismissed. However, your intellectual property and personal data are at the application level, and this is where the focus will shift.

We’re also moving increasingly towards use of robots and machine learning, releasing even more automated interconnectedness.

I don’t want to belabor this aspect in this blog (or it will take over this blog). It’s probably enough to say that it is typically in the top three of most company’s top 10 risks list, and national governments, for that matter.

Impacts of a cybersecurity event are many-fold and include:

  • Financial loss (fines, loss of sale)
  • Operational (inability to run the business properly from ransomware, DDOS)
  • Reputational damage
  • Cascading combinations

The way the world is evolving means that this is not an optional aspect. Companies must address this if they want to operate in the modern world. I would say that the investment required is directly proportional to the size of your business (pick any global business) or the reliance on your business for society to function (like healthcare, utilities).

Addressing this aspect will give you a significant development in your operational and technical abilities to address data breach and processing security breaches for GDPR.

The upside for the modern business

The points I’ve laid out in this blog hopefully provide substance to—and confidence in—your ability to deliver a modern business. And as a consequence, you’ll then be well on your way to meeting a major part of the GDPR.

And the upside for just such a modern business? To quote ICO commissioner Elisabeth Denham again, “I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy and dignity of individuals. Over time this can play a real role in consumer choice.”

To take it further (with help from Stephen Covey’s book The Speed of Trust):

  • If your customers trust you, your speed of operation and security of revenue generation will increase.
  • We judge ourselves on our intentions; we judge others on their actions.

Addressing the GDPR is not just about avoiding fines. See it as putting “good sense” changes in place to underwrite your growth as a modern business.

Learn more

  • To learn more about the new regulations, read our other GDPR blogs.
  • For more on all GRC topics, visit our GRC category page for a complete list.

Learn how organizations are gaining instant financial insights and using them to make better decisions—both now and in the future. Register now for the 2017 Financial Excellence Forum, Oct. 10-11 in New York City.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Neil Patrick

About Neil Patrick

Dr. Neil Patrick is a Director of SAP Centre of Excellence for GRC & Security covering EMEA. He has over 12 years’ experience in Governance, Risk Management and Compliance (GRC) & Security fields. During this time he has been a managing consultant, run professional services delivery teams in the UK and USA, conducted customer business requirements sessions around the world, and sales and business development initiatives. Neil has presented core GRC and Security thought leadership sessions in strategic customer-facing engagements, conferences and briefing sessions.

Business Payments In A Digital Economy: It’s About Timing

Chris Rauen

“When will I get paid?”

For me, the answer to that question is generally “in the middle and end of the month.” For many suppliers, though, the payment date remains a mystery. When they call their customers about payment status, the frenzy that often results may get them an answer. Or it might not.

In a digital economy, the opportunity for trading partner collaboration and self-service eliminates these calls about payments, leaving organizations more time for higher-value work. For the finance and treasury teams, one activity that can have a dramatic impact on business performance involves payment timing.

That’s because your ability to time payments can be as valuable to your business as increasing sales. Pay sooner to take advantage of early-payment discounts, and you can earn double-digit cash returns, risk free. Proactively manage payment terms, and you can extend your days payable outstanding (DPO) and free up working capital to support your business.

Cash in on discounts

For organizations with cash on hand, few opportunities compare to the cash return from early-payment discounts. That isn’t lost on the procure-to-pay lead at a global tire manufacturer. He touts the annualized earnings on discounts as so attractive that he would take them any time over DPO extension.

At BC Hydro, e-invoicing over a supplier network is helping to improve on-time payment performance and expand early-payment discounts. According to Hanif Dhrolia, BC Hydro e-commerce manager, many BC Hydro suppliers have embraced the company’s early-payment discount program to improve their cash flow and days sales outstanding (DSO).

That’s another lure of dynamic discount programs: they appeal to buyers and suppliers alike. What’s more, the flexibility of today’s dynamic discount programs go far beyond traditional, static discount programs. Here are just a few advantages:

  • Offer prorated or dynamic discounts, up to the invoice due date
  • Control the amount of cash to apply to a program
  • Set the minimum rate of return you are willing to accept for these discounts
  • Capture discounts on electronic invoices and those you process manually
  • Target new groups of suppliers that haven’t accepted discounts before

What happens when you combine an early-payment discount program with a payment term-optimization initiative? Typically, a higher uptake of discounts, and the ability to free up working capital by extending DPO. For every $1 billion in payables you extend by 15 days, you can generate more than $40 million in free cash flow. For some organizations, the scope of a working capital management initiative can involve hundreds of millions of dollars in free cash flow.

Consider some of the options for putting this cash to work:

  • Pay down debt
  • Open a new store or manufacturing plant
  • Increase research and development
  • Fund a new product line
  • Support mergers and acquisitions

If none of this is under consideration at your organization, it certainly should be. When you take a closer look, you’ll realize that, when it comes to managing payments, cash, and working capital, it is about timing.

Join us on Oct. 5 for a complimentary live Webinar. You’ll hear Hanif Dhrolia, BC Hydro manager of eCommerce, discuss procure-to-pay transformation at BC Hydro and the importance of early-payment discounts to increase cash earnings while supporting supplier cash-flow needs.

Learn how organizations are gaining instant financial insights and using them to make better decisions—both now and in the future. Register now for the 2017 Financial Excellence Forum, Oct. 10-11 in New York City.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Chris Rauen

About Chris Rauen

In his role at SAP Ariba, Chris Rauen educates procurement, finance, and shared services professionals on the business value of accounts payable automation, procure-to-pay transformation, and collaboration via business networks. Chris has addressed these topics at finance and shared services conferences, in articles for trade and business publications, and in blogs for online communities. Chris has more than 15 years of experience in e-payables, and holds a B.A. in Economics from the University of California, Santa Barbara.

Diving Deep Into Digital Experiences

Kai Goerlich


Google Cardboard VR goggles cost US$8
By 2019, immersive solutions
will be adopted in 20% of enterprise businesses
By 2025, the market for immersive hardware and software technology could be $182 billion
In 2017, Lowe’s launched
Holoroom How To VR DIY clinics

From Dipping a Toe to Fully Immersed

The first wave of virtual reality (VR) and augmented reality (AR) is here,

using smartphones, glasses, and goggles to place us in the middle of 360-degree digital environments or overlay digital artifacts on the physical world. Prototypes, pilot projects, and first movers have already emerged:

  • Guiding warehouse pickers, cargo loaders, and truck drivers with AR
  • Overlaying constantly updated blueprints, measurements, and other construction data on building sites in real time with AR
  • Building 3D machine prototypes in VR for virtual testing and maintenance planning
  • Exhibiting new appliances and fixtures in a VR mockup of the customer’s home
  • Teaching medicine with AR tools that overlay diagnostics and instructions on patients’ bodies

A Vast Sea of Possibilities

Immersive technologies leapt forward in spring 2017 with the introduction of three new products:

  • Nvidia’s Project Holodeck, which generates shared photorealistic VR environments
  • A cloud-based platform for industrial AR from Lenovo New Vision AR and Wikitude
  • A workspace and headset from Meta that lets users use their hands to interact with AR artifacts

The Truly Digital Workplace

New immersive experiences won’t simply be new tools for existing tasks. They promise to create entirely new ways of working.

VR avatars that look and sound like their owners will soon be able to meet in realistic virtual meeting spaces without requiring users to leave their desks or even their homes. With enough computing power and a smart-enough AI, we could soon let VR avatars act as our proxies while we’re doing other things—and (theoretically) do it well enough that no one can tell the difference.

We’ll need a way to signal when an avatar is being human driven in real time, when it’s on autopilot, and when it’s owned by a bot.

What Is Immersion?

A completely immersive experience that’s indistinguishable from real life is impossible given the current constraints on power, throughput, and battery life.

To make current digital experiences more convincing, we’ll need interactive sensors in objects and materials, more powerful infrastructure to create realistic images, and smarter interfaces to interpret and interact with data.

When everything around us is intelligent and interactive, every environment could have an AR overlay or VR presence, with use cases ranging from gaming to firefighting.

We could see a backlash touting the superiority of the unmediated physical world—but multisensory immersive experiences that we can navigate in 360-degree space will change what we consider “real.”

Download the executive brief Diving Deep Into Digital Experiences.

Read the full article Swimming in the Immersive Digital Experience.


Kai Goerlich

About Kai Goerlich

Kai Goerlich is the Chief Futurist at SAP Innovation Center network His specialties include Competitive Intelligence, Market Intelligence, Corporate Foresight, Trends, Futuring and ideation. Share your thoughts with Kai on Twitter @KaiGoe.heif Futu


Jenny Dearborn: Soft Skills Will Be Essential for Future Careers

Jenny Dearborn

The Japanese culture has always shown a special reverence for its elderly. That’s why, in 1963, the government began a tradition of giving a silver dish, called a sakazuki, to each citizen who reached the age of 100 by Keiro no Hi (Respect for the Elders Day), which is celebrated on the third Monday of each September.

That first year, there were 153 recipients, according to The Japan Times. By 2016, the number had swelled to more than 65,000, and the dishes cost the already cash-strapped government more than US$2 million, Business Insider reports. Despite the country’s continued devotion to its seniors, the article continues, the government felt obliged to downgrade the finish of the dishes to silver plating to save money.

What tends to get lost in discussions about automation taking over jobs and Millennials taking over the workplace is the impact of increased longevity. In the future, people will need to be in the workforce much longer than they are today. Half of the people born in Japan today, for example, are predicted to live to 107, making their ancestors seem fragile, according to Lynda Gratton and Andrew Scott, professors at the London Business School and authors of The 100-Year Life: Living and Working in an Age of Longevity.

The End of the Three-Stage Career

Assuming that advances in healthcare continue, future generations in wealthier societies could be looking at careers lasting 65 or more years, rather than at the roughly 40 years for today’s 70-year-olds, write Gratton and Scott. The three-stage model of employment that dominates the global economy today—education, work, and retirement—will be blown out of the water.

It will be replaced by a new model in which people continually learn new skills and shed old ones. Consider that today’s most in-demand occupations and specialties did not exist 10 years ago, according to The Future of Jobs, a report from the World Economic Forum.

And the pace of change is only going to accelerate. Sixty-five percent of children entering primary school today will ultimately end up working in jobs that don’t yet exist, the report notes.

Our current educational systems are not equipped to cope with this degree of change. For example, roughly half of the subject knowledge acquired during the first year of a four-year technical degree, such as computer science, is outdated by the time students graduate, the report continues.

Skills That Transcend the Job Market

Instead of treating post-secondary education as a jumping-off point for a specific career path, we may see a switch to a shorter school career that focuses more on skills that transcend a constantly shifting job market. Today, some of these skills, such as complex problem solving and critical thinking, are taught mostly in the context of broader disciplines, such as math or the humanities.

Other competencies that will become critically important in the future are currently treated as if they come naturally or over time with maturity or experience. We receive little, if any, formal training, for example, in creativity and innovation, empathy, emotional intelligence, cross-cultural awareness, persuasion, active listening, and acceptance of change. (No wonder the self-help marketplace continues to thrive!)

The three-stage model of employment that dominates the global economy today—education, work, and retirement—will be blown out of the water.

These skills, which today are heaped together under the dismissive “soft” rubric, are going to harden up to become indispensable. They will become more important, thanks to artificial intelligence and machine learning, which will usher in an era of infinite information, rendering the concept of an expert in most of today’s job disciplines a quaint relic. As our ability to know more than those around us decreases, our need to be able to collaborate well (with both humans and machines) will help define our success in the future.

Individuals and organizations alike will have to learn how to become more flexible and ready to give up set-in-stone ideas about how businesses and careers are supposed to operate. Given the rapid advances in knowledge and attendant skills that the future will bring, we must be willing to say, repeatedly, that whatever we’ve learned to that point doesn’t apply anymore.

Careers will become more like life itself: a series of unpredictable, fluid experiences rather than a tightly scripted narrative. We need to think about the way forward and be more willing to accept change at the individual and organizational levels.

Rethink Employee Training

One way that organizations can help employees manage this shift is by rethinking training. Today, overworked and overwhelmed employees devote just 1% of their workweek to learning, according to a study by consultancy Bersin by Deloitte. Meanwhile, top business leaders such as Bill Gates and Nike founder Phil Knight spend about five hours a week reading, thinking, and experimenting, according to an article in Inc. magazine.

If organizations are to avoid high turnover costs in a world where the need for new skills is shifting constantly, they must give employees more time for learning and make training courses more relevant to the future needs of organizations and individuals, not just to their current needs.

The amount of learning required will vary by role. That’s why at SAP we’re creating learning personas for specific roles in the company and determining how many hours will be required for each. We’re also dividing up training hours into distinct topics:

  • Law: 10%. This is training required by law, such as training to prevent sexual harassment in the workplace.

  • Company: 20%. Company training includes internal policies and systems.

  • Business: 30%. Employees learn skills required for their current roles in their business units.

  • Future: 40%. This is internal, external, and employee-driven training to close critical skill gaps for jobs of the future.

In the future, we will always need to learn, grow, read, seek out knowledge and truth, and better ourselves with new skills. With the support of employers and educators, we will transform our hardwired fear of change into excitement for change.

We must be able to say to ourselves, “I’m excited to learn something new that I never thought I could do or that never seemed possible before.” D!