SNP GDPR Cockpit for HR is a specialized tool supporting the maintenance of GDPR standards for data processed in SAP HR systems (data about employees, associates, temporary employees). It is a fast-deployment add-on to the SAP HR standard. The product can be adapted to the specific needs of any organization.
For SAP HR
For companies using the SAP HR system, SNP has prepared a solution that automates a number of activities required by the GDPR. Data anonymization, deletion, archiving of documents or sending of information – these are ready-to-use mechanisms that have been included in the cockpit.
The target users of the cockpit may be a data controller, HR specialists and a data protection officer. SNP GDPR Cockpit for HR is an SAP GUI application available in two language versions – Polish and English. The menu can be adapted to the requirements of a specific user (a sample menu is shown in Fig. 1), in particular, customers can add their catalogs and functions.
The cockpit supports 5 groups of key activities defined by the GDPR:
- Maintaining a record of data processing activities;
- Keeping a register of breaches;
- Managing the rights of people whose data is processed in our systems;
- Managing consents to data processing;
- Audit of data changes.
Record of data processing activities
The GDPR provides that the record of data processing activities does not have to be kept in enterprises employing less than 250 people, unless:
- processing may violate the rights or freedoms of persons, e.g. it may result in discrimination, identity theft or identity fraud,
- processing includes specific categories of data (e.g. biometric data) or data on convictions and law infringements,
- processing is not occasional, e.g. processing of data related to customer management or personnel management.
Pursuant to the last provision, this record has to be maintained in almost every company that has employees.
SNP Cockpit for HR supports the creation and versioning of the record, however this function can also be used by the customer keeping a record in another tool. How? The contents of the record are defined in Article 30 of the GDPR. The SNP application automatically generates a record proposal (by analyzing contents in all infotypes in use, including custom ones, and in key HR tables). This proposal can be further edited and expanded or used as a source of information for the external record of data processing activities. If the record is maintained in the cockpit, elements that are processed outside the SAP HR system, e.g. biometric data for the access control system, GPS location data or employee photo, should be added to the generated proposal.
Informing and rights of individuals
When talking about the rights of people whose data we process, we must remember about the fulfillment of the information obligation. The SNP cockpit enables us to send to people whose data we process in SAP HR the previously prepared documents that are relevant for personal data protection, and to archive them (which is important from the point of view of the accountability rule in the case of control). In connection with the new requirements of the GDPR, some customers will probably decide to perform the information obligation again or to supplement information on employees’ rights. In both cases, you can use the SNP tool.
The GDPR does not explicitly define whether information obligations should be fulfilled again in the case of persons whose data was obtained before May 25, 2018. On November 29, 2017, the Working Party Art. 29 addressed the issue of updating the information obligation, invoking Recital 171 of the GDPR. According to it, the processing taking place on the day of application of the Regulation (May 25, 2018) should be adjusted to the provisions of the GDPR in the period of two years prior to that date. Therefore, the Working Party is in favor of full performance of the information obligation in accordance with the GDPR. SNP GDPR Cockpit can automate this process.
SNP GDPR Cockpit for HR supports the exercise of the following rights:
- the right of access to data – at the request of an individual, we can generate a relevant data report together with the purpose of processing;
- the right to erasure – the cockpit offers the functions of selective or complete deletion of data from the SAP HR system;
- the right to data portability – from the cockpit we can generate a readable file in CSV format with all the data we process in SAP HR for a given person.
Each request of a right holder related to the exercise of rights should be registered in the cockpit along with comments, attachments and status. The cockpit has a built-in deadline monitoring functionality that minimizes the risk of untimely handling of a request.
Managing individuals’ consents
The cockpit can be used to register individuals’ consents to the processing of their data. The scan of the original document or the content of correspondence can be attached to the consent information. Most likely, many employers will ask employees or associates for additional consents, for example to the publication of photos on the website, processing of location data or transfer of data to a training company. It should be remembered that the data subject has the right to withdraw their consent at any time – the consent history is stored in the system.
Register of breaches
A new obligation of entrepreneurs will also be to report a breach of personal data protection immediately, not later than within 72 hours from identifying the breach, to the appropriate supervisory authority (the President of the Office for Personal Data Protection). In some cases, you should also inform the data subject about an incident – when the incident may cause a high risk of violation of their rights and freedoms.
Not all breaches should be reported to the supervisory authority. According to the GDPR, the breaches that are unlikely to result in the risk of violating the rights and freedoms of natural persons should not be reported. The 72-hour limit is treated with common sense – after reporting a violation, the notification may be supplemented systematically as new information becomes available and the circumstances of its occurrence are identified. Further information required by the regulations may be sent later than within the indicated 72 hours, unless it can be done earlier.
The data controller is obliged to keep a register of breaches in which any breaches of the personal data protection will be recorded, regardless of whether they may cause a risk of violation of the rights and freedoms of natural persons or not. This register will also be useful for supervisory authorities, since it will enable them to check during an audit whether the data controller fulfils their obligations with due diligence. It is to prevent the excess of notifications sent to supervisory authorities.
SNP GDPR Cockpit for HR supports the whole process – from identifying a breach to reporting it to a supervisory authority or persons whose rights and freedoms are at risk. Expiring deadlines are indicated by means of relevant colors. Electronic breach notifications can be sent from the register to the supervisory authority.
What next?
SNP GDPR Cockpit for HR can be launched in an organization within a few weeks. The application is open to new functionalities – in particular, customers can place their own documentation in the cockpit catalog. A few improvements, including those concerning breach notifications, are planned. The draft of the new act on the protection of personal data provides that the President of the Office for Personal Data Protection will maintain an appropriate ICT system enabling controllers to report breaches. It is likely that the supervisory authority will prepare and make available a notification form similar to the one for entrepreneurs from the telecommunications sector based on Art. 174a of the Telecommunications Law. When the new specification is announced, we will replace the standard e-mail notification with the target format in our cockpit.