GDPR – Read Audit

In the digital world we live in, we like to have all data at our fingertips, but what data do we need in order to complete our work? What should we have access to? One of the seven key principles of GDPR is data minimization. This means that we should not store or collect more data about a user than what we need to run our business. The principle is designed to make sure companies limit what they store about a user. When you are creating your system, always ask yourself if you need the data that you want to store to run your operations. If the data is not needed to run your business operations, then it should not be stored.

The other question we should consider is who needs to able to access the data. Does a financial controller need to see the name of an employee or is a personnel number sufficient? This is handled via permission roles and groups in the system, but how can we check if an employee that has a certain level of access adheres to the compliancy regulations of your company? Since the release of H1 2020, a read audit report has been enabled by default in all preview and production systems that can assist in checking who accessed sensitive data.

There are a few notes to keep in mind:

  • Read audit reports can have an impact on performance within a system, so it is critical that your test environment is free of any real user data. This happens sometimes when a refresh or copy of a production to test occurs.
  • The Read audit reports only contain information that is considered sensitive by SAP. They will not include all personal data, no data that is stored in custom fields or data that is stored in country/region specific fields.
  • For SuccessFactors Onboarding, only documents that contain sensitive personal data will be included in read audit reports

Within SuccessFactors Onboarding, the following fields are considered sensitive:

  • Basic User Information
  • Ethnicity
  • Minority
  • SSN

Within SuccessFactors Employee Central, the following fields are considered sensitive:

  • Ethnic-group
  • Visible Minority
  • National ID

When creating a read audit report, you must first select the type of user.

gdpr1

  • For an employee or onboardee (Onboarding 2.0), choose Person Search
  • For an external candidate, choose External Candidate Search
  • For a new hire onboardee (Onboarding 1.0), choose onboardee search

When selecting Person Search there are two options: check if the data was accessed on a specific user or check whose data was access by a specific user.

gdpr2When selecting Person Search there are two options: check if the data was accessed on a specific user or check whose data was access by a specific user.

gdpr3

Last selections are which modules you want to included and which time range. The max time range is 7 days. If a larger time frame needs to be selected, then multiple reports need to be created.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.