There has never been a more vital time to ensure your SAP SuccessFactors HCM instance is up-to-date.
GDPR is the most high-profile compliance regulation to hit organisations processing European data ever. It’s widely thought that the supervisory authorities are using GDPR to set a precedent for compliance. Fines have been set at four percent of annual global revenue or €20 million, whichever is greater.
Cost aside the loss to reputation in this time of heightened interest around the handling and use of people’s data, will be too great for some businesses to survive a data breach.
GDPR is about putting people back in control of their personal data. The question you must ask yourself is; “Is your SAP SuccessFactors GDPR compliant?”
Within its SuccessFactors HCM platform, SAP has factored in changes to protect the confidentiality, integrity, and availability of your people data, not just for GDPR, but to ensure global compliance.
Enhancements cover consent management, data blocking, data retention and purge, read and edit logging, and reporting. These have been delivered via the quarterly SAP SuccessFactors releases in November 2017 and most recently, February.
Your GDPR compliance assurance is only as rigid as your SAP SuccessFactors maintenance. Any gaps and there’s a very high chance that you will fall through these.
Below you can find the high level technical requirements necessary to ensure your SAP SuccessFactors investment is compliant with the GDPR.
If you have any doubts about the credibility of your maintenance update we recommend a thorough audit of your HCM or call NGA HR for a SAP SuccessFactors Compliance Health Check.
Your GDPR compliance check list
In all instances, you need to agree which data elements your organisation considers to be ‘personal’ or ‘sensitive’. Within SAP SuccessFactors, you then have the option to configure data elements as personal and / or sensitive.
Classifying Personal Data in Modules
- Employee Central – all data elements have been designated as personal by default. Field-level configuration is masked on the user interface
- MDF (Meta Data Framework) configuration can be set at the object-level to classify an object as personal data
- Talent – all talent data is classified as personal, so no additional configuration is required
- Sensitive personal data, such as performance management, calibration, succession planning has been hidden from the user interface?
- Learning – all learning data has been classified as personal, so no additional configuration is required
- Recruiting – there are options to anonymize and purge personal data with the option to identify fields for anonymization or as sensitive personal data
Reporting
- SAP SuccessFactors has enhanced data subject information reporting
Data Deletion and retention management
- Existing data purge and retention management tools have been enhanced
- Pre-requisites / Assumptions including configuration steps for Data Purge Tool are as follows;
1) Provide necessary RBP permissions 2) Enable Data Retention Management 2.0 3) MDF Framework 4) Sync User data from HRIS – County, User Status and Termination date 5) Country picklist updates 6) Company and system settings 7) Setup country specific retention period
Use cases are as follows;
1) Run full purge of inactive users along with their all data based on single common retention time. 2) Run partial purge of specific type of user data based on different retention times. 3) Run purge of audit data for all Users both active and inactive based on different retention times
- MDF (Meta Data Framework) and RBP (Role Based Permissions) must now be set
- Error alerts will occur if Compound Employee API errors go beyond "highest purge date"
- Automated notifications for downstream systems and data deletion will not be reported via change logs or events
- Data in SAP SuccessFactors Workforce Analytics is purged from the source data as part of the monthly update process data
- Historical Reporting will align with the number of years reported on in Workforce Analytics, with retention periods configured in the source product
Change logging
- Change logging will be captured by default
- You can opt in to track changes for MDF (Meta Data Framework) objects
- SAP SuccessFactors is in the process of developing a Change Log Report. Please note that: Change Audit and Read Audit are not yet released by SAP)
Disclosure Control – Masking Today
- Masking can be switched on per field as a default option to prevent exposure of personal or sensitive data - by setting MDF field level property "private or sensitive information" in your Extension Centre to TRUE
- Note: Workflow and Reporting does not support masking
- Each access to sensitive personal data will be logged.
- In EC this is enabled by setting the field level property "log read access" to true
- With MDF this is enabled by setting the field-level property "log read access" to true
- In Talent, sensitive personal data originating from an Employee Profile will be hidden from the user interface, APIs and reporting tools
- Blocking can be used to restrict access to historical personal data still within the retention period and therefore in the system.
- SAP SF plan to extend RBP with an access period to allow for a more fine-grained authorization concept
Recommendations to minimize exposure of sensitive personal data
We recommend best practice and a culture of compliance is introduced organisation-wide to limit the exposure of sensitive personal data and mitigate data compliance risk.
This is particularly important in reporting instances where large amounts of personal data are accessed;
Evaluate each report to determine what sensitive personal data is truly needed to be included
If sensitive personal data is needed, restrict access to the report
If sensitive personal data is needed within Workforce Analytics, set read access as sensitive in admin
Click here for all you need to prepare SAP SuccessFactors for the GDPR ![]()
