SAP PDP

Secure your sensitive personal data with PDP (Personal Data Protector) offered exclusively by SAP in order to ensure your compliance with GDPR / KVKK and to manage related processes throughout your organization.

With its experience in 20+ successful projects, MBIS is always at your service for SAP PDP implementations.

Manage the personal data in SAP or non-SAP systems or physical environments, take the necessary technical and administrative measures and run all related processes in a holistic way within weeks with MBIS and secure your organization.

More information

What is SAP PDP?

SAP PDP (Personal Data Protector) is a specially designed and developed SAP solution which greatly helps organizations to take measures required by GDPR through managing personal data protection and orchestrating related processes for SAP, non-SAP systems and physical environments, centrally and with a holistic approach.

    • SAP systems

      Personal Data
      ECC | S/4HANA
      HR, CRM, SRM
      GDPR / KVKK Processes
    • Non-SAP systems

      Personal data
      Business applications, Call Centers, Analytical Systems, Document Management Systems, etc.
      GDPR / KVKK Processes
    • Physical environments

      Personal data
      HR rooms, Archives, Infirmaries, etc.
      GDPR / KVKK Processes

What kind of a system do organizations
need to ensure GDPR / KVKK compliance?

Data management

  • Personal Data discovery in SAP databases
  • Defining Personal Data Processing Purposes and their relations to data
  • Determining systems, locations and environments of Processors
  • Defining roles and responsibilities for systems and locations
  • Categorization of personal data
  • Recording ‘tag’s of personal data being processed in non-SAP systems and physical locations
  • Creating and managing Personal Data Processing Inventory

Process management

  • Disclosure Obligation management
  • Collection and management of Explicit Consent
  • Managing the Personal Data breach process
  • Management of the interaction processes of the organization with individuals and official institutions whose data are processed
  • Monitoring and reporting of the outputs and situations of each process

Data access management

  • Configuration of data masking functions
  • Automatic data masking when Explicit Consents are missing in SAP
  • Creating automatic anonymization tasks for non-SAP systems when Explicit Consents are missing.
  • Managing Personal Data Access Rights
  • Logging and reporting User Access to Personal Data

Anonymization and destruction

  • Processing anonymization reuqests per individual’s’ ‘Forget me’ right
  • Data blockage and erasure within given periods by applying related rules
  • Integration with non-SAP systems
  • Generating automatic data destruction tasks for physical environments
  • Automatic masking for marked Personal Data

Task management

  • Creating manual or automatic tasks related to GDPR for SAP, non-SAP systems and physical environments that keep personal data (e.g. Data masking, data disposal, tasks regarding information requests etc.)

Management and orchestration

  • Managing external systems with comprehensive and effective integration functions
  • Process traceability
  • Support in audits with reporting and monitoring functions

Basic functionality of SAP PDP

GDPR / KVKK is very detailed and precise in certain areas. With MBIS, use SAP PDP and take control and manage personal data risks in the rapidly developing digital world with a holistic perspective.

Obligation to inform

PDP allows organizations to create clarification texts either by modifying existing regulation compliant templates or by designing from-scratch. PDP performs versioning and sends clarification texts via e-Mail to data subjects. PDP provides status tracking, managing and reporting tools for clarification texts.

Explicit Consent collection and management

SAP PDP automatically collects explicit consents via e-mail for the related processing purposes, allows manual explicit consent record entries, and tracks and reports them. PDP also allows explicit consents collected through non-SAP systems to be consolidated using various methods, including Web Service integration.

Anonymization and masking

PDP ensures that the anonymization and periodic destruction tasks are configured in the system, the approval process is defined, the masking function is activated for the approved data. The completed tasks are automatically closed, being tracked and reported according to their status. Additionally, PDP creates data anonymization or destruction or tasks for non-SAP systems and physical environments.

Automated personal data discovery in SAP

SAP PDP searches and detects personal data fields in SAP databases at ‘data element’ level by using its ‘pre-defined data discovery catalogue’. PDP is also capable of finding personal data fields used in customized SAP transactions if standard data element types are used. Following SAP data discovery, raw personal data inventory is created by adding non-SAP fields and data kept in physical environments.

Personal data and access minimization

PDP helps organizations by providing reports for keeping the data volumes as small as possible and for having more managable set of data. It supports disabling or completely deleting duplicated personal data and using a single source of data to ease mitigation of data related risks. PDP also helps restricting user athorizations to make sure only necessary users will see or edit personal data with optimum level of authorization.

Task management

PDP enables creating and managing one-off or repetitive (periodic) tasks for SAP, non-SAP systems or physical environments. PDP distributes these tasks through Web Services and sends e-mail notifications and reminders to accountable staff, tracks task status’ and provides detailed reports.

Personal data breach management

In the case of personal data breach, PDP allows the violation to be recorded, the necessary research studies to be carried out in the affected systems, to collect fact-finding results, to create and send the reports to official institutions by versioning and to provide the necessary information to the individuals affected by the breach.

Reporting and monitoring

PDP provides extensive reporting functions regarding the monitoring of the status of GDPR / KVKK processes, the integrity of the personal data inventory, the information that needs to be provided in line with the information requests, and enables the obligatory reports requested by the regulations.

Management and orchestration

With its abilities of task management, reporting functions, process status tracking capabilities, and most importantly, the ready master data, process definitions and advanced integration layer it has, PDP enables enterprises to manage not only the processes related to personal data in SAP, but also non-SAP systems and environments from a single point.

Information request management

PDP allows that information requests from data subjects (individuals) or governement agencies are recorded in the system, related tasks are automatcally created, assigned and approved, reminders for incomplete information tasks are sent, summary and detail personal data information reports are created and shared with requestors.

Personal data processing inventory

PDP enables creating the Personal Data Processing Inventory by assigning raw personal data to the data groups and managing it as a versionable live document. It controls the consistency of data types and data processing purposes and the integrity of data category assignments. It automatically sends notifications in the case new personal data fields are added to SAP systems.

Personal data access logging

PDP logs the access to the personal data defined in the SAP systems in detail and makes detailed reports based on the person whose personal data is accessed if required. Personal Data access logs kept in non-SAP systems can also be consolidated and included in reporting in PDP by various methods (FTP, Web Services or real-time access)

Some of the technical features of SAP PDP

SAP PDP offers many advantages that will enable an institution to fulfill its GDPR / KVKK obligations, both in functional and technical terms.

Flexibility and scalability

PDP offers highly customizable technical architecture that can be used according to the special needs of our customers.

User authorization

SAP PDP enables ‘purpose and data type based’ user authorization.

'New field' warning

PDP warns you in the case new personal data fields are added to your SAP systems, allowing you to take necessary actions.

SAP field masking

PDP allows you to display personal data automatically masked with the SAP UI Masking according to the specified rules.

Fiori screens

It is also possible to use PDP more efficiently with Fiori screens apart from standard SAP GUI screens.

Language options

PDP supports English and Turkish by default , any other languages can be added easily.

Versioning

PDP does versioning for clarification and explicit consent texts, personal data processing inventory and other necessary set of data/information.

Supported SAP systems

In addition to ECC or S/4HANA, PDP can be deployed for all SAP all systems that support ABAP, such as HR, CRM, SRM.

BW support

PDP ensures that the personal data is transferred from SAP to BW securely by deleting or masking them depending on the rules defined.

Non-SAP system integrations

PDP comes with a very comprehensive and effective integration layer with a rich set of Web Services that enables connections with non-SAP systems.

SAP GRC integration

Special roles defined for personal data with SAP PDP work integrated and compatible with SAP GRC Access Control module.

DLP support

PDP can be used in compliance with Data Loss Prevention systems; e.g. personal data ‘tagging’ for exported MS Excel files.

What is the scope of PDP in
terms of GDPR / KVKK measures?

In order to be fully compliant with GDPR / KVKK, wide range of measures should be taken and you can see a summary of these
measures below. On the technical side, some of the measures are not needed specifically for GDPR. Although there may be some
amendments to be made for GDPR, they have to be in place in any organizations anyway, such as firewalls, anti-virüs systems etc.
For administrative measures, most of the activities like adding Personal Data Protection clauses on internal or external contracts,
require managerial decisions and can be carried out without any sophisticated system. SAP PDP takes its role for the rest which
are particulary required for GDPR / KVKK for instance Explicit Consents, Personal Data Masking, Access Logging, Anonimyzation
from technical aspect and Obligation to Inform for example for Administrative part.

Technical Measures

  • Firewalls and network security
  • Current anti-virus/anti-spam systems
  • Disk encryption and key management
  • Penetration tests
  • Cyber attack defense systems
  • User account and authority management
  • Software application security
  • Data encryption
  • Data loss prevention systems (DLP)
  • Protection systems against system threats and violations
  • Explicit Consent collection and management
  • Recording access to personal data (Logging)
  • Displaying personal data by masking
  • Personal data deletion, anonymization and destruction

Administrative Measures

  • Institutional policies
  • In-house agreements (e.g. between data controller * data processors)
  • Confidentiality agreements with 3rd parties
  • Employment contracts with employees
  • Awareness-raising activities
  • Educational activities
  • Disciplinary regulation and procedures
  • Corporate Communication (e.g. reputation management)
  • Risk analysis and risk minimization
  • Planned and random inspections
  • Corporate Communication (Information requests from individuals or institutions and data breach crisis management)
  • Creation of Personal Data Processing Inventory
  • Activities related to the Obligation of Disclosure
  • Registration to Verbis

 

The red lines in the list are the KVKK/GDPR requirements that can be fulfilled within the scope of PDP implementation.

How long does it take to activate the PDP?

The implementation period of each project may vary depending on the scope, special demands, the management of the information systems
in the foreign country, the chosen integration methods, the total number of companies and similar parameters. The General Project Plan
below gives a general idea of the project steps. (The 2-week support period after going live is not included)

Why SAP PDP?

It offers a real-time notification system that reports users accessing personal data.

Investing on a world-class solution which is continuously developing and adapting itself to future requirements as well regulation changes

Reduced Total Cost of Ownership (TCO) through investing on a single system rather than dealing with many systems

Taking and managing GDPR related measures from a central control platform instead of using fragmanted solutions

Complete and true GDPR compliance with the use of PDP’s best practise read-to-use data and process designs matured throughout the previous implementations

Successful projects, strong references and solid success stories

Effective orchestration of non-SAP systems and physical locations with PDP’s holistic approach to GDPR requirements.

SAP’s global support and commitment to PDP

Customer Testimonials

How do we support your business growth?

Kadir Sakarya
Sepaş, Information Technologies Manager
"By adapting SAP's best practices on GDPR / KVKK, we have ensured the protection of personal data in our ecosystem through a highly successful project. We worked with the expert teams of MBIS in this project, where we managed to fulfill a very important part of the legal requirements of personal data protection with SAP PDP. We would like to thank MBIS for their devoted work."
Fehmi Murat DERİCİOĞLU
Çimsa, CIO
We have completed the Personal Data Protection (KVK) part of our Digital Transformation journey, which we have executed based on our strategic partnership with SAP, using the PDP (Personal Data Protector) solution. By adopting SAP's know-how and best practices in Personal Data Protection Law (KVKK), we have successfully managed to greatly meet legal compliance requirements by ensuring the protection of personal data in our ecosystem and the central management of related processes.

Please contact us for further information