The recently updated New Zealand Privacy Act 2020 will come into effect on 1 December 2020. A particular challenge is the complexity of SAP systems that can make a compliance project feel overwhelming, especially if you don’t have the right data privacy tools.
Read about the steps you can take to get your SAP systems compliant.
About the Act
The New Zealand Privacy Act 2020 is an update from the 1993 version. It adds a number of changes to align it better with global trends in privacy legislation, mostly set by the GDPR.
The key changes highlighted by the Privacy Commissioner include:
- Notifiable privacy breaches: When a privacy breach occurs where there is a significant risk for the data subjects, you are required to send a breach notification to the Office of the Privacy Commissioner.
- Compliance notices: The Privacy Commissioner now has the power to issue your organisation with compliance notes. These notices may force you to take an action, or stop doing something so that you can comply with the law.
- Enforceable access directions: The Privacy Commissioner can also now force your organisation to give data subjects access to their data. This is so that complaints can be resolved more quickly.
- Regulations on disclosing information overseas: Privacy Principle 12 was added to regulate cross-border transfers. Whenever your organisation sends data overseas, you must be able to guarantee the same level of protection where the data is sent, than it would get in New Zealand. There are some challenges here, especially when it comes to the legal protections that are missing in countries like the United States.
- Extraterritorial effect: The Act now expressly applies to international organisations as well if they process the personal information of New Zealand citizens.
SAP Compliance in Five Steps
When it comes to SAP and compliance, it can seem daunting at first. SAP, with its disparate data tables and deployment from development servers to production, tends to complicate the effort.
Even though you run SAP systems, compliance is a process problem. Given the new legal parameters, you have limitations on the way that you process personal information. Those limitations need to be worked into your existing processes, which will affect the technology you use.
In broad strokes, compliance projects track data from its source, through its processes, to its destination.
Mapping your data
The first step in your compliance project is to map your data objects. At this stage, your primary concern is understanding what your data looks like, where it comes from, and what you are doing with it. To that end, when mapping your data objects, do so with the following in mind:
1. Sources and source categories
Where does the personal data come from? Are you collecting it automatically? Does it come from publicly available sources? Do you use online forms? Are you perhaps collecting data directly from individuals via phone or paper forms?
Each source has its own legal requirements, which implies that you need to define every data source that could potentially contain personal information.
Once identified, you can categorise the sources accordingly, such as all public sources, all direct sources, or all offline sources.
2. Data objects and field identifiers
In this exercise, you define the data objects in your system that contain personal information in the form of generic models. For example, you may have a data object for a ‘system user’ that could contain a first and last name. You could also have an object called ‘client’ that contains a physical address alongside other details.
Once your main data objects have been identified, you need to identify the fields for each object that can be regarded as personal information (which the Act simply defines as information about an identifiable individual).
The purpose of this is to have a clear understanding of the various fields that could cause harm during a breach and may require special treatment to bring the processing of this data in line with the Act.
3. Flows and processes
At this point, you know the sources of your data, including the points of collection. You also know which data objects contain personal information, and which fields are regarded as personal information.
Here you want to create high-level process maps for each data object to map what happens to the data throughout its lifecycle. Do you use this personal information for marketing efforts? Is it used for accounting purposes? What happens when the data becomes redundant or is found to be incorrect? How do you manage archiving?
Take into account various risk factors, specifically breaches, loss of data, and incorrect data retention policies.
You also need to map out the specific required processes of the Act, namely data requests (requesting data records, correcting records, deleting records).
After mapping your data, you will have enough clarity to understand how your processes need to change for compliance, as well as understand the risk your organisation faces when it comes to potential breaches or other legislative risks.
Updating policies and contracts
A primary requirement of the New Zealand Privacy Act 2020 is that your approach to data privacy is explicit and easily accessible.
After mapping your data, you need to update at least the following documents:
- Your privacy policy, which needs to be made easily accessible to your data subjects
- Your cookie policy that clarifies how you use cookies on your website, including the ways in which such data can be used to identify individuals
- Vendor and client contracts with data privacy clauses referencing the purpose of collecting personal information, and the rights the data subjects have with regards to the personal information they share
- Employee contracts with data privacy clauses that explain the purpose of collecting their information, as well as their obligation to act lawfully when interacting with personal data as employees.
Be sure to perform a more in-depth review of the type of documents and forms of communication your organisation uses, so that you can include any additional updates.
Implementing required processes
The requirements of the Act implies that a number of processes need to be implemented if you want to be compliant. You can use the following non-exhaustive list of processes as a starting point:
1. Data subject awareness:
Communicating your data privacy policies to the data subject throughout the lifecycle of their information on your systems.
2. Data subject requests:
a. Request for access to data: You must be able to present the data subject with a report on the data that you hold once you have confirmed the identity of the data subject.
b. Request for corrections: You must have a process in place to ensure the integrity of data across systems.
c. Request for deletion: You must have a process in place to manage the complete removal or de-identification of personal information when you receive a valid request. Note that you must also have a response to deletion requests in cases where you are unable to delete information (for example, when you are required by law to retain the information).
3. Data retention:
Data retention differs across data classes. Where possible, you need to automate data retention policies and ensure that data that may no longer be held, is fully de-identified or deleted.
4. Data security:
a. You need to implement appropriate GRC mechanisms to manage user access
b. Data needs to be effectively secured during development and testing
c. Security needs to be implemented or reviewed for data storage outside of New Zealand to ensure that physical and legislative measures are in place
d. You need to define a data breach procedure, including a definition of significant harm as it applies to your circumstances, and an appropriate response to breaches.
5. Data integrity:
The data you hold on people need to be reviewed for corrections on a regular basis to ensure that it is correct in the event of an access request.
Updating your systems to accommodate the new processes
Every process you identify in the previous step will have an impact on the way that your systems are operated. In many instances you will need to implement new tools or change the system in a way that allows you to keep the personal information on your systems secure and compliant.
Some examples of SAP system changes you may consider include:
- Automated data retention policies
- Tools to extract specific data cross your landscape
- Tools to scramble or mask data, especially during testing
- Tools to delete data cross your landscape
- GRC tools to ensure that your user access risk is reduced
Communicating the changes to your data subjects
As a final step, you must communicate the changes in your policies and systems to your data subjects. Different types of data subjects will receive different types of communications, so be sure to adapt your messaging to your audience. For example, your message to your staff members will be different to the message to your vendors or clients.
Simplifying the complications
We understand data privacy compliance in large organisations, especially when it comes to complex SAP systems. To understand your options, read our white paper on making compliance easier from an SAP perspective.
Author: Gericke Potgieter
Bio: Gericke is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics.
He has spent most of his career in IT, strategy consulting and software development.
