GDPR at SAP Fieldglass

Supporting your journey to GDPR compliance

 

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a European Union (EU) law designed to protect the personal data of EU residents and give them greater control over how their information is collected, processed, stored, and shared.

GDPR goes into effect on May 25, 2018 and applies to companies that collect or process the personal information of people residing in the EU, regardless of their citizenship. GDPR’s broad reach also extends to the processing activities of entities outside of the EU if such activities relate to individuals in the EU (or citizens thereof). 

Our Commitment

SAP Fieldglass was born in the cloud and has always emphasized data privacy and protections to safeguard data hosted in our cloud service. We have taken steps to address the new requirements of GDPR and are committed to ensuring compliance as a data processor.

How does GDPR affect SAP Fieldglass and our customers?

While SAP Fieldglass products will not in and of themselves make our customers GDPR compliant, SAP Fieldglass, as a data processor, delivers functionality to help data controllers operate our products in compliance with relevant legislation on a country or regional level. However, the onus is on the customer, as the data controller, to achieve compliance.

We help our customers address GDPR requirements by using technical  measures within our solution as well as organizational measures through an enhanced security and privacy program. We have achieved the latter by adding ISO 27018 (protection of personally identifiable information in public clouds) and the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) certifications to our existing ISO 27001, SOC 1, SOC 2 Type 2 in Privacy, and SOC 3 audits. 

Is SAP Fieldglass GDPR ready?

SAP Fieldglass strongly considered GDPR when issuing our November 2017 release, which included product enhancements and our new privacy policy/notice outlining how we comply with data privacy and GDPR. Privacy impact assessments and data mapping exercises have been completed, and our internal processes have been reviewed to ensure that SAP Fieldglass can properly support our customer’s data processing requests.

Transparency
SAP Fieldglass has formalized internal processes around the handling of customer data and modified our privacy policy to simplify the language. Our privacy policy is available on the application’s login page, and individuals can view the data collected on them directly within the application.

Data Minimization and Accuracy
The only required personal information to use the SAP Fieldglass Cloud Service is first name, last name and email address.  Additional PII is determined entirely by the customer and/or supplier that serves as the data controller. The data entered in the application is supplied by the customer, worker, or supplier and processes exist to rectify inaccuracies.

Data Retention and Erasure
SAP Fieldglass allows customers to identify which fields contain personally identifiable information (PII).  SAP Fieldglass functionality allows each customer to determine how long certain PII data will be stored and may anonymize the contents of PII fields at the time of their choosing. Only the users with the relevant permissions, as chosen by the customer or supplier, will be able to perform this action. 

Geographical Requirements and Data Transfer
SAP Fieldglass has data centers in the US and the EU, and customers can specify the hosting center in which they want their data to reside.

Integrity and Confidentiality
Encryption, data backup and role-based access are only some of the technical and non-technical controls implemented to protect customer, supplier, and worker data.

Breach Notification
SAP Fieldglass’ mature and tested incident response process is based on NIST standards and ensures that data breach notifications are made without undue delay as stipulated by GDPR.

What does the implementation cost to add these GDPR-related product enhancements?

There is no implementation cost for these new product enhancements as they are included in your existing cloud subscription.

How does this impact SAP Fieldglass’ operations?

The security and privacy of our customers’ data lies at the very core of our business. The new requirements do not impact our operations – they simply verify the protections we already have in place and provide clear guidance for our future path.