© 2017 SAP SE or an SAP affiliate company. All rights reserved.

GDPR
SAP WhitePaper

1 / 7
GDPR compliance: Where do I start?
Table of Contents

4 How Do I Know if the GDPR Applies to My Organization?

5 What Does My Organization Need to Do to Prepare?

6 SAP’s Commitment to the GDPR

2 / 7

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

GDPR compliance: Where do I start?

In May 2016, the European Union (EU)

adopted a newly harmonized data
protection law called the General Data
Protection Regulation (GDPR). The GDPR
will replace the EU Data Protection
Directive 95/46 and will apply in all
European Economic Area (EEA) member
states as of May 25, 2018. It is designed
to give individuals better control over
their personal data and establish uniform
data protection rules across the EEA. Any
organization that collects or processes
personal data of an individual within the
Union is subject to this regulation,
regardless of the organization’s location.
While the GDPR does not introduce many
substantially new concepts, it greatly
increases the compliance requirements
of controllers and personal data
processors.

3 / 7

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

GDPR compliance: Where do I start?

How Do I Know if the GDPR Applies

to My Organization?

Each company should review the regulation to
determine whether it applies to them. According
to Article 3 of the GDPR, some examples of when
the GDPR applies to the process of personal
data include:
•• In the context of the activities of an establish-
ment of a controller or a processor in the EU
•• Where the processing activities are related to
offering goods or services to data subjects who
are in the EU
•• When it is related to the monitoring of the be-
havior of such data subjects in so far as their
behavior takes place within the EU
GDPR applies to an organization even if the con-
troller (the party that determines how and why
personal data is processed) or processor (the
party actually processing the data) is not estab-
lished in the EEA. Any organization that collects
or processes personal data within the EEA or out-
side the EEA to the extent it is related to an indi-
vidual who is in the Union is likely subject to this
regulation, regardless of the organization’s
location.

Any organization that collects or processes

personal data of individuals who are
in the Union is subject to this regulation,
regardless of the organization’s
location.

4 / 7

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

GDPR compliance: Where do I start?
What Does My Organization Need
to Do to Prepare?
Each customer needs to determine whether and
how to comply with the GDPR regulations. Below
are some high-level suggestions to get you start-
ed in your preparations.
GET UP TO SPEED ON THE LAW
Make sure you understand what the regulation
means for your organization. Inform leadership
and key decision makers so they understand the
impact the new regulation is likely to have on the
organization. The time and resources that will be
needed to adapt to this regulation should not
be underestimated.
DETERMINE IF YOU NEED TO APPOINT A DATA
PROTECTION OFFICER (DPO)
Under the GDPR, it will become mandatory for
certain controllers and processors to designate a
data protection officer (DPO). This will be the
case for all public authorities and bodies that
process personal data. It will also be the case for
organizations that, as a core activity, monitor in-
dividuals systematically and on a large scale or
“The controller and processor shall ensure that the
data protection officer is involved, properly and in
a timely manner, in all issue which relate to the
protection of personal data.”
– General Data Protection Regulation, Article 38
5 / 7
that process special categories of personal data
on a large scale. The Article 29 Data Protection
Working Party has provided additional guidance
on the topic.
AUDIT USAGE OF PERSONAL DATA
Determine where and for what purpose your or-
ganization collects personal data from individu-
als. Do you share this information? If so, with
whom? Do your current processes meet the re-
quirements of the GDPR? If not, start planning
how you will update them. Document what per-
sonal data you collect, along with the lawful basis
for collecting and processing it.
REVIEW CONSENT PRACTICES AND DATA PRI-
VACY NOTICES
Are you currently asking individuals for consent
to collect and process their personal data? Do
you need to create or update this process in light
of the GDPR? Do you need to update your data
privacy notices?
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
GDPR compliance: Where do I start?
SAP’s Commitment to the GDPR
SAP is committed to data protection. Data pro-
tection aspects have been an integral part of our
product standards, which are being extended to
include the new requirements of the GDPR. We
intend to comply with the GDPR as a company as
of May 2018, as well as to develop our products
to support our customers in applying the GDPR
requirements to the best possible extent. This in-
cludes the ongoing enhancement of already ex-
isting product features as well as the implemen-
tation of new requirements.
WHICH SAP SUCCESSFACTORS
PRODUCT FEATURES ALREADY SUPPORT
GDPR COMPLIANCE?
SAP SuccessFactors product features already
support compliance with many GDPR requirements.
These features include product documentation,
product-specific role and rights logic, retention
and deletion functionalities, consent manage-
ment inherent in the systems, as well as product-
specific capabilities that represent technical and
organizational measures to protect personal
data, including encryption.
SAP is focusing its GDPR readiness efforts
on enhancing product capabilities to
provide customers with additional
functionality to enable GDPR compliance.
6 / 7
WHAT IS THE FOCUS OF PRODUCT
ENHANCEMENTS FOR GDPR?
SAP is focusing its GDPR readiness efforts on en-
hancing product capabilities to provide custom-
ers with additional functionality to enable GDPR
compliance. The software features listed below
are planned to be included in the SAP Success-
Factors solutions quarterly release cycles prior to
May 25, 2018.
This document is not intended to provide legal
guidance, but rather to highlight the features of
SAP® SuccessFactors® solutions that can help
our customers implement GDPR requirements.
References to the GDPR articles above highlight
the requirements and functionality based on
SAP’s interpretation. We recommend all custom-
ers perform their own analysis of the GDPR
requirements to ensure compliance based on
their own interpretation of the regulation.
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
GDPR compliance: Where do I start?

GDPR Requirement Planned Enhancements to SAP SuccessFactors Software

Right to be forgotten Support for purging of personal data

Change logging Ability to log changes to personal data

Read logging Ability to log read access to sensitive personal data

Right of access by the data subject Provision of a report or display function that can be used to
inform data subjects about the personal data stored about them

Consent Ability to obtain a data subject’s consent to the processing

of their personal data

MORE INFORMATION
SAP plans to provide updates to support GDPR compliance
in the normal quarterly release cycles and provide corre-
sponding documentation with those releases.

For information on GDPR and SAP go to www.sap.com/gdpr

For further information on data privacy and protection at

SAP view, www.sap.com/security.

You can reference the full text of the General Data

Protection Regulation (Regulation (EU) 2016/679)

7 / 7

vQ118 © 2017 SAP SE or an SAP affiliate company. All rights reserved.

 www.sap.com/contactsap

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP SE or
an SAP affiliate company.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to

pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or
platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality.
All forward-looking statements are subject to various risks and
uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these
forward-looking statements, and they should not be relied upon in making
purchasing decisions.

SAP and other SAP products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other countries.
All other product and service names mentioned are the trademarks of
their respective companies.

See http://www.sap.com/corporate-en/legal/copyright/index.epx for

additional trademark information and notices.