Author: Priyasha Purkayastha, Sr. Content Writer | Co-author: Laura Parri Royo, Marketing Director
Within the SAP community, GDPR non-compliance has always been regarded as a severe threat. This is because of the high complexity of the SAP system architecture and the high volume of data processed within these systems. This article offers a detailed update on the General Data Protection Regulation, the levels of penalties you could expect if your company is deemed non-compliant, and how SAP system users can mitigate this risk. Read on!
Table of contents
GDPR penalties | Who has been fined recently?
In March 2024, the Information Commissioner’s Office clarified the methods it will use to calculate the fines issued for breaches of data privacy law in the UK. This clarification is significant because 2023 was rather an expensive year for some companies when considering the GDPR.
Of all the fines historically issued, Meta faced a record £1.2 billion penalty in 2023 for non-compliant exchanges of data between its EU and US operations. This was the largest fine ever awarded to a company for a GDPR breach. However, keep in mind that they were not alone in being penalised; 2023 was a busy year. During this period, TikTok and Spotify also faced multi-million-pound fines for GDPR non-compliance. Spotify was fined in Sweden for a lack of transparency in how the data it collected from its users was being used. TikTok was fined for processing the personal data of 1.4 million children under the age of 13 and for failing to protect these users and conduct adequate checks.
These stories all highlight that the risks of facing a hefty GDPR penalty have remained the same since the flurry of cases in the 2019-2021 period when Amazon, British Airways, Google, Marriott International and H&M – all faced quite heavy fines for non-compliance.
History lessons | Major brands that faced GDPR penalties
- In 2021, Amazon was fined €746 million by the Luxembourg National Commission for Data Protection (CNPD) for non-compliant processing of personal data.[1]
- In 2019, Google was fined €50 million by the French data protection authority (CNIL) for lack of transparency and valid consent regarding personalised ads.[2]
- In 2020, British Airways was fined £20 million by the UK Information Commissioner’s Office (ICO) for a data breach that affected over 400,000 customers. The breach involved personal data like login information, payment card details, and travel booking information.[3]
- In 2020, Marriott was fined £18.4 million by the ICO for an IT-related data breach that exposed the personal data of approximately 339 million guests globally.[4]
- In 2020, H&M was fined €35.3 million by the German data protection authority for illegal employee surveillance due to keeping extensive records of employees’ private lives.[5]
Most common GDPR risks for SAP system users
So, brands were fined for severe infringements in following the GDPR requirements – what does that mean for SAP users? Can they be fined, too? As a matter of fact, yes! Any violations in complying with the General Data Protection Regulation can lead to heavy penalties – regardless of whether you are based in the EU or cater to citizens in the EU. There are two different tiers of penalties that EU authorities levy upon organisations for non-compliance. One is for less severe infringements with fines up to 10%, and the other one is for severe violations with fines up to 20%. We have covered GDPR and its penalties in the blog below. Click on the button to learn more!
When it comes to the most common GDPR risks for SAP system users, remember that SAP offers one of the most potent ERP systems and tends to be adopted by large organisations. Users typically operate their businesses across multiple locations, which means that vast amounts of personal data are spread across various modules, systems, and locations.
More about the GDPR compliance challenges for SAP users
Adding to this, SAP is used by many different business functions – from financials to manufacturing and HR to customer relationship management. This means various types of data about individuals, personnel, customers, and suppliers are being stored in multiple databases. All these acquired data must be processed and stored in accordance with GDPR’s fundamental requirements. These include only storing data for as long as it is needed (the right to be forgotten rule), ensuring that the retained data is accurate and that it is being processed lawfully. However, it has been observed that organisations often take record keeping lightly, leading to several non-compliance issues. As a matter of fact, poor record-keeping is one of the most common GDPR breaches.
SAP promotes the concept of ‘keeping the core clean’ to ensure that users can enjoy maximum system performance. This creates additional GDPR risks for SAP system users because they will need to integrate with third-party applications and services to gain more specific system functionality. It means integrations with other vendors must also be compliant, both in terms of the ways the data is exchanged between systems and the individual GDPR compliance of the system provider. Alongside system complexity, security is another significant risk factor for SAP users. Companies using SAP systems must have strict user access controls in place to ensure that unauthorised users cannot gain access to data they are not entitled to view or process.
Rights of the individual
The most significant change GDPR legislation has brought about is the level of control any individual now has over the way personal data can be used. They can request access to any data held about them and request that it be amended or deleted. All SAP system users must have systems in place to ensure that if a request like this is made, it can be executed very quickly. One of TJC Group’s users engaged us in a project to do precisely this and ensure they would be ready to perform these requests if one were made in the future.
Linked to this is the ‘Right to be forgotten’—the obligation to respond quickly in the event of a data breach. This is very significant because the number one data loss risk that companies face is from cyberattacks, and increasingly, hackers are after personal data. If a data breach occurs, SAP users must be able to detect, respond to, and report the breach within 72 hours, as required by the GDPR regulations.
How do we minimise the risks of GDPR non-compliance?
There are lots of ways SAP users can help themselves and reduce their exposure to GDPR non-compliance. One of the most effective is to implement SAP Information Lifecycle Management (ILM). Here’s how ILM helps to avoid GDPR non-compliance –
Data retention management
ILM helps organisations define and enforce data retention policies. By specifying how long different types of data should be retained, ILM ensures that personal data is kept only as long as necessary, which is a crucial requirement under GDPR. It automates the deletion of data once the retention period has expired, reducing the risk of retaining data unlawfully.
Data archiving
ILM allows for efficient archiving of data that is no longer actively used but must be retained for compliance or business reasons. Archived data is stored securely and can be retrieved if needed, ensuring that organisations can balance the need for data accessibility with compliance requirements.
Data deletion and destruction
ILM provides functionality for the secure deletion and destruction of data. This ensures that personal data can be permanently removed from the system in a controlled and auditable manner, fulfilling GDPR’s right to be forgotten rule.
Conclusion
Organisations using SAP systems need to be vigilant about GDPR compliance due to the potential for substantial penalties. They should ensure robust data protection measures are in place, that regular audits are completed, and precise documentation exists to minimise the risk of being found non-compliant.
That said, even when implementing SAP ILM, organisations must be extremely mindful as the implementation can be tricky. In cases like this, you need partners who can smooth out the process for you, and TJC Group is here to help. Our extensive expertise in ILM, data archiving, and data management can benefit you not only with GDPR compliance but also with reducing the TCO, security, and legal risks. Contact us now for more information!