GDPR at SAP Fieldglass
Supporting your journey to GDPR compliance
What is GDPR?
The General Data Protection Regulation (“GDPR”) is a European Union (EU) law designed to protect the personal data of EU residents and give them greater control over how their information is collected, processed, stored, and shared.
GDPR goes into effect on May 25, 2018 and applies to companies that collect or process the personal information of people residing in the EU, regardless of their citizenship. GDPR’s broad reach also extends to the processing activities of entities outside of the EU if such activities relate to individuals in the EU (or citizens thereof).
SAP Fieldglass was born in the cloud and has always emphasized data privacy and protections to safeguard data hosted in our cloud service. We have taken steps to address the new requirements of GDPR and are committed to ensuring compliance as a data processor.
How does GDPR affect SAP Fieldglass and our customers?
While SAP Fieldglass products will not in and of themselves make our customers GDPR compliant, SAP Fieldglass, as a data processor, delivers functionality to help data controllers operate our products in compliance with relevant legislation on a country or regional level. However, the onus is on the customer, as the data controller, to achieve compliance.
We help our customers address GDPR requirements by using technical measures within our solution as well as organizational measures through an enhanced security and privacy program. We have achieved the latter by adding ISO 27018 (protection of personally identifiable information in public clouds) and the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) certifications to our existing ISO 27001, SOC 1, SOC 2 Type 2 in Privacy, and SOC 3 audits.
Is SAP Fieldglass GDPR ready?
Data Minimization and Accuracy
The only required personal information to use the SAP Fieldglass Cloud Service is first name, last name and email address. Additional PII is determined entirely by the customer and/or supplier that serves as the data controller. The data entered in the application is supplied by the customer, worker, or supplier and processes exist to rectify inaccuracies.
Data Retention and Erasure
SAP Fieldglass allows customers to identify which fields contain personally identifiable information (PII). SAP Fieldglass functionality allows each customer to determine how long certain PII data will be stored and may anonymize the contents of PII fields at the time of their choosing. Only the users with the relevant permissions, as chosen by the customer or supplier, will be able to perform this action.
Geographical Requirements and Data Transfer
SAP Fieldglass has data centers in the US and the EU, and customers can specify the hosting center in which they want their data to reside.
Integrity and Confidentiality
Encryption, data backup and role-based access are only some of the technical and non-technical controls implemented to protect customer, supplier, and worker data.
SAP Fieldglass’ mature and tested incident response process is based on NIST standards and ensures that data breach notifications are made without undue delay as stipulated by GDPR.
What does the implementation cost to add these GDPR-related product enhancements?
There is no implementation cost for these new product enhancements as they are included in your existing cloud subscription.
How does this impact SAP Fieldglass’ operations?
The security and privacy of our customers’ data lies at the very core of our business. The new requirements do not impact our operations – they simply verify the protections we already have in place and provide clear guidance for our future path.