今日想和大家分享一個港企的成功故事：晶苑國際集團（2232.HK)。Crystal Group 於1970年由羅樂風先生及羅蔡玉清女士成立，於公司創立初期，Crystal Group只是一間在香港僅有幾台縫紉機及針織機的成衣製作公司，半個世紀過去，經歷了60-70年代的製衣興盛年代，又見證過近年浪花淘盡幾許港產廠佬的光景, 但晶苑集團仍然屹立不倒，生意還愈做愈大。晶苑集團更於2017年在香港上市，是少數能只靠成衣製作上市的本地企業。公司現有客戶包括H&M及Uniqlo 等等，每年營銷收入達25億美金，在全球20多個地方都設 有工廠，約有80000位員工，每年生產接近3.5億件衣服，規模非常龐大。 更令人鼓舞的是《財富》雜誌於2016年評“改變世界的50家公司”，Crystal Group（晶苑集團）排行17位，與Nike、雀巢、可口可樂、Intel、Walmart、Siemens等知名企業並肩而立，由此可見晶苑集團絕不是”廠佬“那麼簡單。 要了解晶苑國際集團的成功因素，短短數千字絕對不能夠說得一清二楚。但如果要總結其最為人熟悉及重要的因素就是羅生的經營理念。 50年代集團主席羅樂風先生與父親初到香港，初期生活艱苦﹑甚至住在農場附近或木屋區，家中的兄弟姊妹眾多，作為長子的羅樂風自然承擔起部分的家庭責任，既要照顧兄弟姊妹，又要在財政上分擔父母的重擔，確實不容易/令人動容。正正就是這樣的成長環境培養出其不屈不撓的態度及大我為先的精神，造就了這個白手興家的故事及對員工推心致腹和關懷備致的情操。 羅樂風先生推崇「大我為先」，面對困難從不放棄，也不貪便宜，堅持做誠信企業，做良心企業，做環保企業，一步一步走到今天，把別人口中的夕陽企業變成朝陽企業。另外，晶苑集團整體團隊奉行「以人為本」的理念 ，注重培育人才。羅樂風透露，集團在全球約有8萬員工，文化背景各異，所以集團推動員工關愛共融。「首先要尊重他們的多元文化，嚴守『以人為本』和『同分享齊關懷共成長』的綱領」，羅樂風說。晶苑一向着力培養人才，通過有效的人力資源策略，吸引眾多有能之士。與此同時通過培等不同措施，悉心栽培可造之人才，為基層員工增值，確保晶苑的人才可持續發展。 晶苑集團也鼓勵員工勇於嘗試，在犯錯中汲取經驗，不斷前進。他們主張棄舊納新，講求事在人為，只要能堅持，不會害怕犯錯，然後在犯錯中創新，不斷進步。這也是為甚麼晶苑集團為甚麼仍能在這個江河日下的夕陽產業中仍能巍然屹立。 Crystal…
A step-by-step guide to make sure your SAP system is GPDR-compliant
When the European Union’s General Data Protection Regulation (GDPR) went into effect in May last year, the scale of the penalties and size of the potential fines sent shivers down the spine of many enterprises – not just in Europe, but all over the world. Because, the mere fact that a business isn’t physically located in the E.U. won’t get them off the hook if they accidentally or intentionally infringe the rules.
The E.U. is taking things seriously. In July it announced plans to fine British Airways GBP 183.38 million (HK$1.788 billion) for an alleged breach of the GDPR. The next day it announced its intention to fine Marriott International GBP 99 million (HK$965 million). And, while Hong Kong firms have been spared so far, that doesn’t mean local businesses can afford to ignore the implications of GPDR.
The question for some SAP users is what do to and where to start? The answer is start at the beginning, and take it one step at a time!
Step 1 – Define In-Scope SAP Data
A preparation plan starts by identifying all the SAP environments, clients, master data tables, and fields containing personal information of European residents, even customized z-tables and z-fields. All SAP systems such as SAP ERP Central Component (ECC), Business Intelligence (BI), Customer Relationship Management (CRM), and other solutions should be included in the preparation project. Backups, legacy systems, and archives of SAP databases should also be included in the planning. Digitized documents integrated into SAP containing private information should also be covered.
The quantity and quality of sensitive personal data to protect largely differs between industries and legal areas. Certain sectors, such as healthcare, insurance, banking, recruitment, and marketing, deal with a high volume and wide variety of personal information.
During the scope planning, it is important to validate with the business owners why the personal information is collected for the impact assessment. Confirming the specific and legitimate needs for keeping personal information with business experts is highly advisable.
Also, understanding the business need for each type of information helps to define responsible contact and data retention requirements and to show how data is transferred and interfaced between the SAP system and other systems and organizations. Reducing the amount of personal information will facilitate the preparation by mitigating risk in the SAP system.
Step 2 – Monitor How an SAP System Exports and Transfers Personal Data
Compliance with GDPR requires the auditing of SAP logs to detect risky behavior by users. All downloads of private information should be strictly justified by a business need, protected, erased when no longer needed, and authorized by the compliance function. For instance, exporting reports by the SAP List Viewer (ALV) without a legitimate business justification is considered a data breach that should be reported.
A GPDR preparation project should plan how, by whom, and how often the SAP security logs will be reviewed for downloaded data with private information. The protection of downloaded sensitive information outside the SAP system is a related issue to address in a readiness plan.
Step 3 – Define Action Plans to Anonymize Personal Data
The GDPR recommends the use of data pseudonymization to prevent unauthorized access to personal data. Pseudonymization is a technique whereby the personal data records are replaced by dummy codes to make it impossible to identify the people in question. Pseudonymization still allows some authorized relevant users to display the original master data.
This is particularly relevant for non-production environments, such as when granting access to developers, testers, functional analysts, and contract workers. Encryption and data scrambling are also valid action plans, and SAP offer solutions for protecting data in development and testing environments (e.g., SAP TDMS HCM 4.0).
Step 4 – Define Action Plans to Block and Erase Personal Data
The GDPR requires organizations to erase personal data without undue delay when it is no longer needed or when an employee, client, or other third party objects to the inclusion of the data and exercises the right to be forgotten.
In an SAP system, personal information is not erased, but it is blocked to comply with document retention rules and to maintain the data integrity between tables. Once it is recoded in an SAP system, data cannot be properly erased in a legal sense. However, blocking information prevents further retrieval or processing.
Step 5 – Get buy-in from the top
The financial and human resources required for a GPDR preparation project will vary significantly, depending on the seriousness and complexity of the privacy risks. Getting the support from senior management is critical for the success of such preparation efforts.
Last but not least
Experts in SAP systems should lead organizations in preparing changes in policies, people, and control practices to adopt the data protection principles mandated by the GDPR. Because the GPDR affects anyone handling the personal data of E.U. residents – whether they are based in the E.U. or not – identifying available options in your SAP system to mitigate the related compliance risks isn’t optional. The scale of sanctions and legal requirements mean that compliance is a must.