DoingBusinessinEurope?EUGeneralDataProtectionRegulation(GDPR) isthemostimportantchangein dataprivacyregulationin20years.WhatyouneedtoknowanddobyFriday,May25,2018.

AgendaAboutNatuvionIntroductiontoEUGeneralDataProtectionRegulation(GDPR)11stepsyouneedtotakebeforeFriday,May25,2018HowSAPandNatuvioncapabilitiescanexpediteandsimplifyyourGDPRcomplianceGDPRworkshop:willyoursbefree?Questionandanswer

2

3

SAPRecognizedExpertsinSecurityandGDPROfficelocations:Walldorf,Berlin,Munich,Vienna,andNewYorkRapidlygrowing:morethan60 employees

SAPCo-Innovation-ProgramforDataProtectionandPrivacyMulti-citySAPcustomerworkshopsInnovationpartnerforDataProtectionandPrivacy

ThreeYearsofSuccessfulSAP/GDPRImplementationsStrategicITSecurity,DataProtectionandPrivacyManagementAccelerator1|DataAnonymizationEngine[TDA]Accelerator2|MassDataDecommissioningSystemAccelerator3|Templates forSAPInformationRetrievalSolutionInformationLifecycleManagement[ILM]CompetenceCenter

AboutNatuvion|SAPPartnerforGDPR

Technology Manufacturing Automotive EnergyPharmaceutical Beverages Banking InsuranceRetail

Natuvion GmbHAltrottstraße 31 | 69190 WalldorfFon +49 6227 73-1400Fax +49 6227 73-1410

www.natuvion.com

YourExperts Today

Patric DahseGeschäftsführer

Fon: +49 151 171 357 02Mail: patric.dahse@natuvion.com

18

PatricDahseCEO/FounderNatuvion Americas Inc.19W.34thStreet,Suite1018NewYork,NY10001,USAT+49(0)6227.73-1400F+49(0)6227.73-1410patric.dahse@natuvion.com

Areasofexpertise§ DataProtectionandPrivacy§ SAPTransformation

BenjaminSpiesITLawyer,Partner,SKWSchwarzRechtsanwälte,Wittelsbacherplatz180333Munich,GermanyT+49(0)89.28640-108F+49(0)89.2809432B.Spies@skwschwarz.de

Areasofexpertise§ IT-Law§ DataSecurityRights

WhatisGDPR?

5

EUGeneralDataProtectionRegulation(GDPR)1. DesignedtoharmonizedataprivacylawsacrossEurope,GDPRprotects

andempowersallEUcitizensbygivingthemmoresayoverwhatcompaniesdowiththeirdata.

2. MakesdataprotectionlegislationmoreconsistentandclearacrosstheEU,savingacollective€2.3billionayear.

3. ReplacesDataProtectionDirective1995(fromoptionaltoregulated).TheenforcementdateisFriday,May25,2018.

4. Organizationsinnon-compliance willfaceyearlytime-consuminginvestigations, heavyfines,uptotwoyearsinprison,andmore.

5. Reversestheburden-of-proof tothedetrimentofdataprocessingcompanies.Companiesneedtostrategicallyshiftfocustorecognizeindividualrights.

6. Significantlyincreasestheneedforsystematicsolutionsthatallowforacomprehensivedocumentationofmeasures.AchievingcompliancewillrequireupdatingSAPandothertechnicalsolutions.

SummaryofGDPRKeyFacts

6

1. Enhancedrightsofdatasubjects

2. Increaseddutyforprotectingdata

3. Mandatorydatabreachreporting

4. Significantpenaltiesfornon-compliance

7

CompliancewithGDPRintheUnitedStatesHowisGDPRrelevantforUScompanies?Whathappensincasesofnon-compliance?

GDPRnotonlyappliestoorganizationslocatedwithintheEU,butitalsoappliestoorganizationslocatedoutside oftheEUiftheyoffergoodsorservicesto,ormonitorthebehaviorof,EUdatasubjects.

AppliestoallcompaniesprocessingandholdingthepersonaldataofdatasubjectsresidingintheEU,regardlessofcompany'slocation.

Organizationscanbefinedupto4%ofannualglobalturnover,or 20,000,000Euros,fornon-compliance. Theowners,shareholders,ormembersofacorporationcanbeheldpersonallyliableforcorporatedebts (Art.82).GlobalDataTraffic

8

HealthData*

E-mailAddress

Name&Address IPAddress

BiometricData* Camera

Records

AccessRegistration

IrisScan*

MembershipofLaborOrganization*

Username&Password

SmartMeterData

Legal|KeyPrinciplesoftheProtectionofPersonalDataPrinciple1:Lawfulness,Fairness,andTransparency• Consumerconsentiscritical.• Shiftsdatacontrolbacktotheindividual.

Principle2:DataMinimization• Adequate,relevant,andlimitedtowhatisnecessaryinrelationtothe

purposesforwhichtheyareprocessed.

Principle3:DataSecurity• Appropriatetechnicalandorganizationalmeasuresshallbetaken

againstunauthorizedorunlawfulprocessingofpersonaldata,aswellasagainstaccidentalloss,destructionof,ordamagetopersonaldata.

Principle4:Accuracy• Personaldatashallbeaccurateand,wherenecessary,keptup-to-date.

Principle5:Accountability• DataProtectionOfficersgovernadherencetoregulation.• Databreachnotificationbecomesmandatory.• Heightenedrequirementsforprocessors.

9

Juridical/Organizational

ITRelevantinScope

ITRelevant

1.Awareness

2.DataOverview360Degree

3.PrivacyStatement

4.IndividualRights

5.ListofProcedures

6.Consent

7.Children

8.DataPrivacyViolations

9.PIAandDPbyD

10.DataProtectionOfficer

11.International

PreparingforGDPR:11StepsYouNeedtoTake

NatuvionRecommends|BiggestImpactonITLandscape

10

1.Awareness

2.Dataoverview360degree

3.PrivacyStatement

4.IndividualRights

5.Listof Procedures

6.Consent

7.Children

8.DataPrivacyViolations

9.PIAandDPbyD

10.DataProtection Officer

11.International

Therighttorectification

Therighttoerasure

Therighttobe

informed

4.IndividualRights

Therightofaccess

Therighttodataportability

Therighttorestrict

processing

99GDPRArcticles– e.g.,SixRightsofIndividuals

11

RightofAccess|Art.15• Information• Copy

Rectification|Art.16• Correction• Completion

Deletion|Art.17• Personresponsible• 3rdparty(tobeforgotten)

Restrictions|Art.18• Restrictionofprocessing• Blocking

Portability|Art.20• Extraction• Automatictransferto3rdparty

Objections|Art.21• General• Directmarketing

LEGAL|Onemonthdeadline(Exception:abletobeextendedbytwomonths)

LEGAL|Costsdatamustbeprovidedfreeofcharge(Exception:misuse)

AnonymizationdrivesefficiencyandreducescostswhenimplementingGDPRrequirements(Art.5)

SAP&NatuvionOfferFeaturesThatEnableanAffectiveDataGovernanceModel

NatuvionsimplifiestheGDPRcomplianceprocess!Thereare99GDPRarticlesandmanytechnicalSAPsolutions.Natuvion simplifiestheprocessbyprovidingaroadmapofthestepsyouneedtocompletewiththetechnicaltoolstoexpediteadatagovernanceprogram.

12

Fieldsof Action

Comprehensiverealdatainproject/testandtrainingsystems

Historicaldatainproductivesystems

Extensivedatabaseofprocessexecution

Testandprojectsystemonlywithanonymousdata

AnonymizationtrainingandtestingsystemDeletehistoricaldata Lockandimplement

continuousdatamanagment

Customerrequeststoprovideinformation

Requestforinformationaboutpersonaldata

NatuvionDCS(Dataselectionand data deletion)

SAPILM(Datalockinganddatadeletion)

NatuvionTDA(Pseudonymizationofsystemsanddata)

NatuvionEDA(Testdatagenerationandduplication)

SAPTDMS(Pseudonymizationofsystemsanddata)

NatuvionDDI(Datainformationandsearch)

SAPIRF(Datainformationandsearch)

SAPLT2.0(Dataselectionanddatadeletion)

SAPArchiving(Dataselectionanddatadeletion)

SAPILMDecommissioning(Systemreplacement)

Personaldataafterexpirationoflegitimationtobedeleted

Conformaluseofapproval&consent

Conformaluseofapprovalandconsent

SAPConsent(Collection&processingofconsent)

Structured,IT-supportedprocessing

ComingSoon

SAPRAL&SAPUILogging(DataAccessLogging&Monitoring)

SAPUIMasking(DataMasking/Blocking)

SAPRAL/SAPUILogging(DataAccessLogging&Monitoring)

DeletionArticle17– CustomerM&AExampleHistoricalDatainProductiveSystem

“BeForgotten”

Art. 5 Abs. (1) e)

Identification of the data subject shall only be possible for aslong as is necessary for the purposes for which it is processed.

Art. 17

The person concerned has the right to require the personresponsible to immediately delete any personal data relating tohim. The responsible person is obliged to immediately deletepersonal data.• Fulfillment of purpose• Revocation of consent• Opposition to processing• Unlawful processing (including children) Allrelevantdatamustbedeletedfromtheproductivesystem.

Apure"concealment"ofthedataisnotsufficient.

RighttobeForgotten

SAPERP/CRM/IS*Production

IT-System

Transferofdataatserviceprovidercharge

BuKrs Designation

0400 Business1

0600 Business2

0800 Business3

Production

IT-System

0800 Business3

Fullhistoricaldatatransfertonewserviceproviders

13

TechnicalProcedure|Dependingontheprojectrequirements,selectivedataerasurecanbeperformedinthreedifferentvariants.

DataProtectionandDataPrivacy – Cyber SecurityWeek - ASUG/SAP/Natuvion14

Big-Bang* Object Batch

Typingthedata(keydefinition)Deletedatawithoptimizedperformance(within40hours)ReorganizationofthedatabasePossibilityofdatarecovery

Typingthedata(keydefinition)DeletingthedatawithlowprocessspeedObjectdeletionwithlowperformancePossibilityofdatarecovery

Step-by-stepdeletionofdataonfixeddatesUniquedatatypingDeletetabletype-orientedDeletewithoptimizedperformancePossibilityofdatarecovery

Variant1 Variant2 Variant3

Variant1-3SelectiveDeletion

DSOHH

*Big-Bangisthemosteffectiveerasureprocess.Deletionofdataisgenerallypossibleinlessthan40hours.

DeletionArticle17– CustomerApproaches

3000BUKRS

15

TechnicalProcedure|Dataerasureconsistsofadatashiftanddataerasureorclean-uppoweredbyNatuvion’sdataconversionserver.

Integrated System(s)SAPCRM/SAPERP

1000BUKRS2000BUKRS3000BUKRS4000BUKRS

IntegratedSystem(s)SAPCRM/SAPERP

1000BUKRS2000BUKRS4000BUKRS

IntegratedSystem(s)SAPCRM/SAPERP

1000BUKRS2000BUKRS4000BUKRS

Selection LogicalDeletion PhysicalDeletion

1 2 3

BluePrint Test1 Test2 GP GL Deletion

DeletionArticle17– MassDataDecommissioning

P

P

A

A

A

A

A

A

P

ArchiveSystem

OutputControl

A

P

A

Contract-/PostalControl

CSS

CustomerSelfServices

ELKOProcessing

SAPERP

(Classic/HR)

SAP

SAPCRM

SAP

SAP

ERP

(Industry)

SAPBW

SAPBO

SAP

SAP

Managementofinterests&acquisitions

DataExchange

CreditCheck

Mailgateway

DataProcessinginMajorITSystems

(Insurance/Energy/Banking/Telecommunications…)

DeletionArticle17– ILMCompetencyCenter

SAPreleasedanewInformation-Lifecycle-Managementfeature.

NatuvionhasthefirstexperiencedconsultantsavailableviatheILMCompetencyCenter

Therelevantdatamustbedeletedfromtheproductivesystem

aftercompletionoftheeventorafterexpirationofthedeadline.

StandardProcessofContractManagement

Prospectmanagement,acquire process,andcreditcheck

Contractmanagementofanongoingbusinessrelationship

(billing,receivablesmanagement,claimsmanagement,etc.)

Contractendandfinalsettlement

Contractinitiation

(initiationcancellation,changeoftenant,andcontractchange)

1

2

3

4

A=ArchiveSystem

P=Output/Print

16

17

ManagementofRetentionRules:AutomatedDataStorageandDestruction� Datastorageaccordingtoactiverules.� Destroythedataassoonastheretentiontimeisreached.� Datadestructiondirectlyfromthedatabaseorthearchive.

“DataCluster”perRetentionPeriod� Generationofvariousarchivefileswiththecorrespondingexpirationdate

accordingtothedefinedretentionperiod.

E-Discovery� Searchforinformationrelatedtolitigation.

LegalHold� Preventearlydatadestructioninlegalcases.

• Simplifiedblockinganddeletionofpersonaldata.

• FunctionalityisbasedonSAPInformationLifecycleManagement.

• WithSAPILM,businesspartnerdatacannotonlybeblockedordeleted,buttransactionaldatacanalsobedestroyed.

NatuvioncansupportASUGmembersexclusivelywithpredefinedtemplatesandblueprints orimplementationsupportviatheNatuvionInternationalILMCompetencyCenter.

New!SAPILMBlocking&Deletion

InformationLifecycleManagement – CompetencyCenter

RightofAccessArticle15– New!SAPIRFGenericSmartSearchArt.15“Rightofaccessbythedatasubject”- Thedatasubjectshallhavetherighttoobtainfromthecontrollerconfirmationastowhetherornotpersonaldataconcerninghimorherarebeingprocessed,and,ifthatisthecase,accesstothepersonaldataplusotherdetails.Solution“InformationRetrievalFramework“– GenericSmartSearch.

18

Extractoftherisks/challengesofnewtransparencyobligationsstarting in2018

1

2

3

4

X

GDPRArt.12Abs.3(timelimits)/GDPRArt.13/14/15(scope)

OrganizationorCompetition

SinglePerson

EnergieversorgerExample(current)

Ø41Tage

RetailCustomer=currentprocessingtimeave. 41days.GDPR=onemonthwithmorecomplexreportingrequirements.

Averageworkingtime(day)forInformationRequestArt.15GDPR

KW26 KW13KW03KW46KW36

48

19 19

59

Privacypolicystatementmustincludememory/eraseddataFinekitforsupervisoryauthorities,associations,competitors,andaffectedpersons.

LackofimplementationofadeclaredstatusquoPurposeofbreachofconformity:high(personal)riskofliability.

Individualororganizationrequestsinformation/requestsdatatransmissionWithinonemonth,informationand/ortransmissionmustbeprovided.

Supervisoryauthority/courtmeetsad-hocorderforimplementationImmediateimplementationofdataprotectionconditionsandrequirementsapply.

Inthecaseofadelay,nonconformity,orincorrectanswerPublicdisputes/announcement,monetaryandsustainableimpact,andreputationdamage.

19

NewinaNetweaverpatch:SAPInformationRetrieval Framework– GenericSmartSearchUsingSAPIRFtogetherwithNatuvion‘sblueprintsanddatamodels,quicklyidentifyGDPR-protectedpersonaldataacrosshereogeneouslandscapes.

SearchingforData� Thesearchcanbecarriedoutaccordingtodefinedentrycriteria

(partner,customer,order,etc.).

� Datamodelscanbestoredindifferentversionsandvariants.

� Thesearchcanbeperformedcentrallyonallconnectedsystems.

� Thesearchjobsareexecutedasynchronouslyinthesystem.

OutputofResults� Theexecutedsearchjobspersisttheresultsintheirowntables

(possiblytheirownclients).

� Thisdatawillbedeletedafterthedeadline.

� Resultprocessingcanbefilteredand/ormodified.

� OutputofdataALVgrid(SAPstandard).

� Connectionofothertechnologiespossible(SAPFiori,UI5,HCP).

� Formintegrationnotstandard.

• Realtimedatavisibilityacrossfragmenteddatasources.

• Basetechnology(SAPBASIS)isincludedinthelicensecosts

ofSAPBusinessSuite.

• DatasearchfordefineddatamodelsonallsystemsinSAP

BusinessSuite.

• Connectionofnon-SAPsystemsandwebservicespossible.

• UseofBASISfunctionality“GenericSmartSearch.”

• UseoftheILMobjects(tablescope/grouping)and

derivationofthereadingpaths.

• Rule-basedsearchandexclusionofvalues/results.

NatuvioncansupportASUGmembersexclusivelyeitherwithpredefinedtemplates(datamodels),blueprints,and/orimplementationsupportasaco-innovationdevelopmentpartnerforIRF.

FunctionalityOverview

SAPStandard-

Technology

InformationRetrievalFramework- Blueprint&DataModels

Anonymize&PseudonymizewithNatuvion’sCertified“TDA”1. Anonymizerealdatainproject,test,andtrainingsystemssotheyarenotrelevantforGDPR.

2. PseudonymizedatainproductiontoexpediteGDPRprocessing.

20

NopersonaldatamaybeheldinSAPtestorprojectsystems.

Alltestproceduresmustbecarriedoutwithanonymousdata.

SAPCRMProduction

CRM

SAPERP/IS

Production

ERP

SAPCRMDevel.

CRM

SAPERP/ISDevel.

ERP

SAPCRMTest

CRM

SAPERP/ISTest

ERP

Project-

system

CRM

Training-

system

CRM

Project-

system

ERP

Training-

system

IS-

UER

P

Sandbox-

system

CRM

Sandbox-

system

ERP

SampleofSAPSystemLandscape

Art.5- Principlesrelatingtopersonaldataprocessing

1. Personaldatamustbe:

a) processedlawfully,fairly,andinatransparentmannerin

relationtothedatasubject(“lawfulness,fairness,and

transparency”);

b) collectedforspecified,explicit,andlegitimatepurposesandnotfurtherprocessedinawayincompatiblewiththosepurposes;furtherprocessingofpersonaldataforarchivingpurposesinthepublicinterest,orscientificand

historicalresearchpurposesorstatisticalpurposesshall,

inaccordancewithArticle83(1),notbeconsidered

incompatiblewiththeinitialpurposes;(“purpose

limitation”);

PrinciplesArticle5

21

Concept TestPosition Individualization Golive

§ Introductiondataanonymizationinthedepartmentandrecordadditionalrequirements,ifnecessary.

§ Surveyofrelevantprocess,authorization,orUIadjustments.

§ Deliveryoftransportorders.§ Carryoutthenecessary

standardcustomizing.§ Createrulesandvariants.

§ Displayofadditionalfunctionsorselectionfeatures.

§ Customizingasacoachingapproach.

§ Developmentofcustomer-drivendevelopments/tables.

§ Adaptationofvariants.

§ Testmanagement§ Testexecution§ Keyusertraining§ Endusertraining§ Golive§ Stabilization§ Certificationof§9German

FederalDataProtectionAct(optional)

2- 3PD 5PD 10- 15PD 5PD

ProjectDuration:6to10Weeks

2- 3PD 3PD 3- 2PD 3PD

Scope TestEnvironment TailoringYourSolution StartofRegularOperation

TypicalPhasesofImplementation

ASUGoffer- Natuvion’sCertified“TDA”

ASUGMember

22

Historicaldatainproductive

systems

Aftertheprocessingofdata,contracts,orservicecontracts,customerdataispassedontonewserviceproviders.

Thehistoricaldataremainscurrentandintherespectiveproductionsystems.

Extensivedatabaseof

processexecution

Processesforacquisitionandcontractprocessinggeneratedata.Theuseofthisdataislegitimatefortherespectivepurpose.

Aftertheprocesshasbeencompleted,thedataisstillavailablewithoutrestriction.

Customerrequeststoprovide

information

Requestsforinformationabouttheaffectedpersonsconcerningthestorageandprocessingoftheirpersonaldata.

Informationmustbeprovidedinastructured,electronicformwiththefollowingspecifics:place,reason,andrecipient,aswellasdurationofthestorage/deletioncriteria.

Comprehensiverealdatain

project/testandtraining

systems

SAPtest,training,and/orprojectsystemsarebuiltonacompletecopyoftheproductionsystem.

Theaccesstodataispossibleatanytime,extensivelyandpartiallydependingontheauthorization.

û (1)Tobeimplemented û (2)Tobeimplemented û (3)Tobeimplemented

64

31

Companycodesinsystemwithverifiedlegitimation

77.000

4.200.000

ChangeInterestedPersons Inactive

1.150.000

400

WithSupervision

Critical

Currentlyabout120p.a.

Access– darkfigure

Datasurveyswithlegitimationtobeverified

(CurrentYear)

Rightofaccessbythedatasubject(§ 15GDPR)

*Numberofinquiriesacrossallserviceproviderscurrentlycannotbedetermined.

*Change=Rejectedbillsofexchangeandstorageofdata

û (0)Tobeimplemented

1 20 3

Companies

Realdatainsecondarysystem(Accessrestricted/restrictedaccess/data

anonymized)

16

42

475.000Customers

Extensive Limited Anonym.

CustomerExampleUsingTDAReducedRiskbyRemovingNon-ProdSAPSystemsOutofGDPRFocus

ServicesimRahmenderVorbereitung,Planung,Umsetzungund

ÜberwachungderEU-GDPR

23

Duringaone-dayworkshop,expertsfromNatuvion—alongwithadataprotectionexpert—willexamineand

analyzethedataprotectionlawsituationwithinyourcompany'sSAPsystemlandscape.Inaddition,weworkwith

youtodevelopawell-foundedapproachthatwillhelpyoumeetthemoststringentlegalrequirements.

OneDayWorkshop:GDPRRoad-MapandPrioritizationforSAPSystemLandscapesSpecialOpportunity forASUGMembers

ContactPatric Dahse - patric.dahse@natuvion.com

Natuvion GmbHAltrottstraße 31 | 69190 WalldorfFon +49 6227 73-1400Fax +49 6227 73-1410

www.natuvion.com

QuestionandAnswer

Patric DahseGeschäftsführer

Fon: +49 151 171 357 02Mail: patric.dahse@natuvion.com

18 DataSecurityundDataPrivacyinSAP- DataSecurityundDataPrivacy

PatricDahseCEO/Founder

Natuvion Americas Inc.19W.34thStreet,Suite1018NewYork,NY10001USA

T+49(0)6227.73-1400F+49(0)6227.73-1410patric.dahse@natuvion.com

Areasofexpertise:§ DataProtection&Privacy§ SAPTransformation

BenjaminSpiesITLawyer,Partner

SKWSchwarzRechtsanwälteWittelsbacherplatz180333MunichGermany

T+49(0)89.28640-108F+49(0)89.2809432B.Spies@skwschwarz.de

Areasofexpertise:§ IT-Law§ DataSecurityRights

FurtherInformation

26

RisksandConsequencesofNon-CompliancewithGDPRFinesandAdditionalConsequences

1. ViolationofNotificationRequirement:Fineriskincreasesasmorerulesareviolated.AdministrativeFinesUndercurrentdirectives,certainviolationscanbefinedupto300k€.GDPRfinesareupto20,000,000Euros($23,138,200)or 4%oftheannualglobalturnoverofthecompanyforthepreviousfiscalyear,whicheverisgreater.An"incident"maybeassevereasanactualdataleak,orassimpleasajustifiedcomplaintwiththecompetentsupervisoryauthority.

2. ImprisonmentUptotwoyearsimprisonmentfordataprotectionoffenses.

3. DamageClaimsIncaseofadatabreach,damageclaimsfromdatasubjectscaneasilyapproachsignificantlevels.Theowners,shareholders,ormembersofacorporationcanbeheldpersonallyliableforcorporatedebts.

4. FailureoftheInsuranceIfthemanagerhasnotcompliedwiththestatutoryprovisions,anexistinginsurancewillrefusetopay.

5. DamagedReputationCouldresultfromadatabreachaffectingcustomers,suppliers,andemployees.

6. CommunicationofPersonalDataBreachesIfdataistransferredintothewronghands,thedatacontrollermustwarntheaffecteddatasubjectsimmediatelyinwriting.Ifthisinvolvesdisproportionateeffort,therewillbepubliccommunication.

Probability

PotentialN

egativeIm

pact

RiskAssessment

FinesmayriseproportionatelytoreachthemaximumGDPRfinescompared

tocurrentdirective.

1

2

3

45

6

7