SAP® PDP

Secure your sensitive personal data with PDP (Personal Data Protector) offered exclusively by SAP® in order to ensure your compliance with GDPR / KVKK and to manage related processes throughout your organization.

With its experience in 20+ successful projects, Nagarro + MBIS is always at your service for SAP® PDP implementations.

Manage the personal data in SAP® or non-SAP® systems or physical environments, take the necessary technical and administrative measures and run all related processes in a holistic way within weeks with Nagarro + MBIS and secure your organization.

More information

What is SAP® PDP?

SAP® PDP (Personal Data Protector) is a specially designed and developed SAP® solution which greatly helps organizations to take measures required by GDPR through managing personal data protection and orchestrating related processes for SAP® , non-SAP® systems and physical environments, centrally and with a holistic approach.

- SAP® systems
  
  Personal Data
  
  ECC | S/4HANA
  HR, CRM, SRM
  
  GDPR / KVKK Processes
- Non-SAP® systems
  
  Personal data
  
  Business applications, Call Centers, Analytical Systems, Document Management Systems, etc.
  
  GDPR / KVKK Processes
- Physical environments
  
  Personal data
  
  HR rooms, Archives, Infirmaries, etc.
  
  GDPR / KVKK Processes

What kind of a system do organizations
need to ensure GDPR / KVKK compliance?

Data management

Personal Data discovery in SAP® databases
Defining Personal Data Processing Purposes and their relations to data
Determining systems, locations and environments of Processors
Defining roles and responsibilities for systems and locations
Categorization of personal data
Recording ‘tag’s of personal data being processed in non-SAP® systems and physical locations
Creating and managing Personal Data Processing Inventory

Process management

Disclosure Obligation management
Collection and management of Explicit Consent
Managing the Personal Data breach process
Management of the interaction processes of the organization with individuals and official institutions whose data are processed
Monitoring and reporting of the outputs and situations of each process

Data access management

Configuration of data masking functions
Automatic data masking when Explicit Consents are missing in SAP®
Creating automatic anonymization tasks for non-SAP® systems when Explicit Consents are missing.
Managing Personal Data Access Rights
Logging and reporting User Access to Personal Data

Anonymization and destruction

Processing anonymization reuqests per individual’s’ ‘Forget me’ right
Data blockage and erasure within given periods by applying related rules
Integration with non-SAP® systems
Generating automatic data destruction tasks for physical environments
Automatic masking for marked Personal Data

Task management

Creating manual or automatic tasks related to GDPR for SAP® , non-SAP® systems and physical environments that keep personal data (e.g. Data masking, data disposal, tasks regarding information requests etc.)

Management and orchestration

Managing external systems with comprehensive and effective integration functions
Process traceability
Support in audits with reporting and monitoring functions

Basic functionality of SAP® PDP

GDPR / KVKK is very detailed and precise in certain areas. With Nagarro + MBIS, use SAP® PDP and take control and manage personal data risks in the rapidly developing digital world with a holistic perspective.

Obligation to inform

PDP allows organizations to create clarification texts either by modifying existing regulation compliant templates or by designing from-scratch. PDP performs versioning and sends clarification texts via e-Mail to data subjects. PDP provides status tracking, managing and reporting tools for clarification texts.

Explicit Consent collection and management

SAP® PDP automatically collects explicit consents via e-mail for the related processing purposes, allows manual explicit consent record entries, and tracks and reports them. PDP also allows explicit consents collected through non-SAP® systems to be consolidated using various methods, including Web Service integration.

Anonymization and masking

PDP ensures that the anonymization and periodic destruction tasks are configured in the system, the approval process is defined, the masking function is activated for the approved data. The completed tasks are automatically closed, being tracked and reported according to their status. Additionally, PDP creates data anonymization or destruction or tasks for non-SAP® systems and physical environments.

Automated personal data discovery in SAP®

SAP® PDP searches and detects personal data fields in SAP® databases at ‘data element’ level by using its ‘pre-defined data discovery catalogue’. PDP is also capable of finding personal data fields used in customized SAP® transactions if standard data element types are used. Following SAP® data discovery, raw personal data inventory is created by adding non-SAP® fields and data kept in physical environments.

Personal data and access minimization

PDP helps organizations by providing reports for keeping the data volumes as small as possible and for having more managable set of data. It supports disabling or completely deleting duplicated personal data and using a single source of data to ease mitigation of data related risks. PDP also helps restricting user athorizations to make sure only necessary users will see or edit personal data with optimum level of authorization.

Task management

PDP enables creating and managing one-off or repetitive (periodic) tasks for SAP® , non-SAP® systems or physical environments. PDP distributes these tasks through Web Services and sends e-mail notifications and reminders to accountable staff, tracks task status’ and provides detailed reports.

Personal data breach management

In the case of personal data breach, PDP allows the violation to be recorded, the necessary research studies to be carried out in the affected systems, to collect fact-finding results, to create and send the reports to official institutions by versioning and to provide the necessary information to the individuals affected by the breach.

Reporting and monitoring

PDP provides extensive reporting functions regarding the monitoring of the status of GDPR / KVKK processes, the integrity of the personal data inventory, the information that needs to be provided in line with the information requests, and enables the obligatory reports requested by the regulations.

Management and orchestration

With its abilities of task management, reporting functions, process status tracking capabilities, and most importantly, the ready master data, process definitions and advanced integration layer it has, PDP enables enterprises to manage not only the processes related to personal data in SAP® , but also non-SAP® systems and environments from a single point.

Information request management

PDP allows that information requests from data subjects (individuals) or governement agencies are recorded in the system, related tasks are automatcally created, assigned and approved, reminders for incomplete information tasks are sent, summary and detail personal data information reports are created and shared with requestors.

Personal data processing inventory

PDP enables creating the Personal Data Processing Inventory by assigning raw personal data to the data groups and managing it as a versionable live document. It controls the consistency of data types and data processing purposes and the integrity of data category assignments. It automatically sends notifications in the case new personal data fields are added to SAP® systems.

Personal data access logging

PDP logs the access to the personal data defined in the SAP® systems in detail and makes detailed reports based on the person whose personal data is accessed if required. Personal Data access logs kept in non-SAP® systems can also be consolidated and included in reporting in PDP by various methods (FTP, Web Services or real-time access)

Some of the technical features of SAP® PDP

SAP® PDP offers many advantages that will enable an institution to fulfill its GDPR / KVKK obligations, both in functional and technical terms.

Flexibility and scalability

PDP offers highly customizable technical architecture that can be used according to the special needs of our customers.

User authorization

SAP® PDP enables ‘purpose and data type based’ user authorization.

'New field' warning

PDP warns you in the case new personal data fields are added to your SAP® systems, allowing you to take necessary actions.

SAP® field masking

PDP allows you to display personal data automatically masked with the SAP® UI Masking according to the specified rules.

Fiori screens

It is also possible to use PDP more efficiently with Fiori screens apart from standard SAP® GUI screens.

Language options

PDP supports English and Turkish by default , any other languages can be added easily.

Versioning

PDP does versioning for clarification and explicit consent texts, personal data processing inventory and other necessary set of data/information.

Supported SAP® systems

In addition to ECC or S/4HANA, PDP can be deployed for all SAP® all systems that support ABAP, such as HR, CRM, SRM.

BW support

PDP ensures that the personal data is transferred from SAP® to BW securely by deleting or masking them depending on the rules defined.

Non-SAP® system integrations

PDP comes with a very comprehensive and effective integration layer with a rich set of Web Services that enables connections with non-SAP® systems.

SAP® GRC integration

Special roles defined for personal data with SAP® PDP work integrated and compatible with SAP® GRC Access Control module.

DLP support

PDP can be used in compliance with Data Loss Prevention systems; e.g. personal data ‘tagging’ for exported MS Excel files.

What is the scope of PDP in
terms of GDPR / KVKK measures?

In order to be fully compliant with GDPR / KVKK, wide range of measures should be taken and you can see a summary of these
measures below. On the technical side, some of the measures are not needed specifically for GDPR. Although there may be some
amendments to be made for GDPR, they have to be in place in any organizations anyway, such as firewalls, anti-virüs systems etc.
For administrative measures, most of the activities like adding Personal Data Protection clauses on internal or external contracts,
require managerial decisions and can be carried out without any sophisticated system. SAP® PDP takes its role for the rest which
are particulary required for GDPR / KVKK for instance Explicit Consents, Personal Data Masking, Access Logging, Anonimyzation
from technical aspect and Obligation to Inform for example for Administrative part.

Technical Measures

Firewalls and network security
Current anti-virus/anti-spam systems
Disk encryption and key management
Penetration tests
Cyber attack defense systems
User account and authority management
Software application security
Data encryption
Data loss prevention systems (DLP)
Protection systems against system threats and violations
Explicit Consent collection and management
Recording access to personal data (Logging)
Displaying personal data by masking
Personal data deletion, anonymization and destruction

Administrative Measures

Institutional policies
In-house agreements (e.g. between data controller * data processors)
Confidentiality agreements with 3rd parties
Employment contracts with employees
Awareness-raising activities
Educational activities
Disciplinary regulation and procedures
Corporate Communication (e.g. reputation management)
Risk analysis and risk minimization
Planned and random inspections
Corporate Communication (Information requests from individuals or institutions and data breach crisis management)
Creation of Personal Data Processing Inventory
Activities related to the Obligation of Disclosure
Registration to Verbis

The red lines in the list are the KVKK/GDPR requirements that can be fulfilled within the scope of PDP implementation.

How long does it take to activate the PDP?

The implementation period of each project may vary depending on the scope, special demands, the management of the information systems
in the foreign country, the chosen integration methods, the total number of companies and similar parameters. The General Project Plan
below gives a general idea of the project steps. (The 2-week support period after going live is not included)

Why SAP® PDP?

It offers a real-time notification system that reports users accessing personal data.

Investing on a world-class solution which is continuously developing and adapting itself to future requirements as well regulation changes

Reduced Total Cost of Ownership (TCO) through investing on a single system rather than dealing with many systems

Taking and managing GDPR related measures from a central control platform instead of using fragmanted solutions

Complete and true GDPR compliance with the use of PDP’s best practise read-to-use data and process designs matured throughout the previous implementations

Successful projects, strong references and solid success stories

Effective orchestration of non-SAP® systems and physical locations with PDP’s holistic approach to GDPR requirements.

SAP® ’s global support and commitment to PDP

Customer Testimonials

How do we support your business growth?

Kadir Sakarya

Sepaş, Information Technologies Manager

"By adapting SAP® 's best practices on GDPR / KVKK, we have ensured the protection of personal data in our ecosystem through a highly successful project. We worked with the expert teams of Nagarro + MBIS in this project, where we managed to fulfill a very important part of the legal requirements of personal data protection with SAP® PDP. We would like to thank Nagarro + MBIS for their devoted work."

Fehmi Murat DERİCİOĞLU

Çimsa, CIO

We have completed the Personal Data Protection (KVK) part of our Digital Transformation journey, which we have executed based on our strategic partnership with SAP® , using the PDP (Personal Data Protector) solution. By adopting SAP® 's know-how and best practices in Personal Data Protection Law (KVKK), we have successfully managed to greatly meet legal compliance requirements by ensuring the protection of personal data in our ecosystem and the central management of related processes.

Please contact us for further information

Name*

Surname*

Company*

Title*

e-Mail*

Message*

By filling out this form, I hereby accept and declare that I have read and understood the Clarification Text regarding the processing of the personal data of visitors to the Nagarro + MBIS website and the use of cookies

Privacy Overview

This website uses cookies to provide you with a better service. To change your cookie preferences and get detailed information about Cookies, please read the Cookie Policy.

Necessary

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months 1 day 11 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Performance

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

SAP® PDP

What is SAP® PDP?

SAP® systems

Non-SAP® systems

Physical environments

What kind of a system do organizations need to ensure GDPR / KVKK compliance?

Data management

Process management

Data access management

Anonymization and destruction

Task management

Management and orchestration

Basic functionality of SAP® PDP

Obligation to inform

Explicit Consent collection and management

Anonymization and masking

Automated personal data discovery in SAP®

Personal data and access minimization

Task management

Personal data breach management

Reporting and monitoring

Management and orchestration

Information request management

Personal data processing inventory

Personal data access logging

Some of the technical features of SAP® PDP

Flexibility and scalability

User authorization

'New field' warning

SAP® field masking

Fiori screens

Language options

Versioning

Supported SAP® systems

BW support

Non-SAP® system integrations

SAP® GRC integration

DLP support

What is the scope of PDP in terms of GDPR / KVKK measures?

Technical Measures

Administrative Measures

How long does it take to activate the PDP?

Why SAP® PDP?

Customer Testimonials

How do we support your business growth?

Please contact us for further information

What kind of a system do organizations
need to ensure GDPR / KVKK compliance?

What is the scope of PDP in
terms of GDPR / KVKK measures?