Users fear SAP systems make GDPR compliance harder to achieve

EU flag in front of building

Customers are becoming increasingly concerned about the security and compliance of their SAP systems, as incoming data protection rules get ever closer.

The EU's General Data Protection Regulation (GDPR) will apply in the UK and elsewhere less than a year from now, and the rush to comply is causing some alarm among the ERP giant's users.

GDPR will introduce new fines of up to 4% of turnover or 20 million for data breaches and for failing to comply with the stricter data protection legislation, which seeks to hand more control to people over how organisations can use their personal information.

But an overwhelming 86% of SAP users said they don't understand GDPR's implications for their current and future SAP landscapes, according to a survey of 102 customers conducted by the UK & Ireland SAP User Group.

Half of respondents admitted their compliance and security concerns are greater now than they were a year ago, while 55% cited their growing use of SAP cloud and mobility tools as security challenges and 57% said it was an obstacle to compliance.

"With the continued growth of cloud computing and increasingly mobile workforces, it is a challenge for organisations to fully understand where their data is residing and how it is being accessed," said Brian Froom, audit, control and security special interest group chair at the UK & Ireland SAP User Group.

While the user group and SAP will work together to offer customers best practice to help them navigate GDPR successfully, Froom said SAP might not be in a position to offer guidance to struggling customers, because it's grappling with the compliance challenges itself.

"They are trying to figure this out as well," he told IT Pro. "They have not only their own customer data which has to comply, [but] must fully secure solutions for customers as well."

SAP access control was a chief concern among customers, cited by 70% of respondents, while 73% pointed to the challenge of balancing workforce mobility with a secure and compliant SAP landscape.

Froom explained that access control creates potential issues under GDPR, which considers IP addresses and business emails to constitute personal data, requiring opt-in consent.

SAP does have a governance, risk and compliance module, but only 47% of respondents were using it - 35% said it was too expensive, and 18% deemed it too complex.

SAP UK & Ireland's COO, Simon Niesler, said: "We appreciate customer concerns about the implications of GDPR. The more bureaucracy and complexity you have in your business segment, the harder it is to grow quickly, and speed is what matters today. This is why we want to work closely with our customers to ensure they have the right technology infrastructure in place that meets both local and global legislative needs.

"There may be local regulations, but we need these issues solved on a global basis, and SAP is working with the international community on behalf of its customers and partners to do so."

The user group is holding an event called Securing Your Systems in the Digital World in Birmingham on 5 July, where experts will be on hand to offer advice on GDPR.