Expert interview with
Three questions put to Fritz Mosonyi, SPP Handelsges.m.b.H., Vienna
1. What company units will be mostly effected by the DSGVO (Datenschutzgrundverordnung) when it comes to decision-making?
Answer FM: If the issue is taken seriously - and the punishments enterprises could face lead to the assumption that this is the case – data protection runs through the whole company. However, areas where the majority of personal related data are administered will surely be mostly effected. Depending on the industry, these areas are HR, sales and marketing. They administer data, whereas the IT department most often is service provider. HR, sales and marketing must therefore be the driving force and demand from the IT to meet all necessary requirements regarding cost-effective protection at state of-art technology. I do, however, note that the DSGVO issue is instead powered from IT, and thus perceived as an IT-subject. The responsibility, nevertheless, according to the DSGVO, clearly lies with the management. Therefore, it is a challenge to the management to create the framework, issue necessary guidelines and support the upcoming compliance project by providing appropriate resources.
2. Will companies have to rely on SAP tools for the implementation of monitoring or do alternatives exist?
Answer FM: SAP offers a variety of solutions in order to meet the demands of the DSGVO. However, SAP landscapes are no longer simple three-system-landscapes but complex structures put together out of a number of different systems.
In order to fulfill certain requirements, set by the DSGVO, a first necessary step is extensive documentation of data flows on the basis of the processes. Those processes almost always involve different SAP systems, as well as non-SAP systems. The emerging picture – the processing register – serves as a basis from which one can then determine so-called technical-organizational measures (TOM), taking into consideration the estimable risks.
SAP offers a good collection of tools and possibilities within the SAP world. However, when borders are crossed, interfaces are exceeded, even within one`s own system landscapes, these tools can be less practical. What if the data are well-protected within the ERP, but any user is able to export files as PDF? This simple but commonplace example demonstrates where problems exist.
3. Do companies pay sufficient attention to the issue of Change Management?
Answer FM: In some enterprises they do, in a majority of companies still not. The increasing number of changes, the growing complexity of system infrastructures - but a non-growing number of IT-staff; the increasing requirements for compliance – DSGVO being just another one - all this together reason enough to implement automatization of a change process to achieve added value within short time. And next to all this, highly topical, the very rapidly advancing digitalization which will make processes faster again and enhance the IT-usage further – and as a result we will become still more dependent on IT.