Comply with GDPR requirement using SAP Information Lifecycle Management
1. GDPR Overview
What is GDPR?
General Data Protection Regulation (EU Regulation 2016/679) is a cumulative compliance requirement toward EU Data protection. A unified framework instead of individual country specific regulation with EU. GDPR comes into effect from 25th of May 2018. It gives individual the control and protection of their personal data
Who is impacted?
Any company that does business with European citizens – regardless of the location gets impacted with GDPR. It also applies to Natural persons, irrespective of their nationality or place of residence in the EU.
What information does the GDDPR Applies to?
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible on a specific criteria.
The GDPR refers to sensitive personal data as “special categories of personal data” (Article 9 of EU GDPR regulation). These categories are broadly the same as those in Data protection act, (DPA) with some minor changes to it.
Possible Impact of non-compliance.
Penalty up to 4% of annual global revenue or €20 million whichever is greater
1.1. GDPR Requirement for Personal / Special Personal Data management.
GDPR has a well-defined requirement to protect the personal & special personal data with some new rights for individuals and also strengthens some of the rights that currently exist under the DPA.
|1. The right of access||2. The right to rectification||3. The right to erase||4. The right to restrict processing|
|5. The right to restrict processing||6. The right to data portability||7. The right to object||8.Rights in relation to automated decision making and profiling|
1.2. SAP Solution for the GDPR compliance
There is no single solution to GDPR compliance; however, combination of multiple compliance product stacks from SAP & SAP Partner extension can address the overall GDPR requirement.
The below picture depicts a High-level overview of the SAP Solution covering the critical aspects of Data Management and Security.
2. SAP ILM – Solution to GDPR Data management
Data management in accordance with GDPR has two critical requirement; Data retention and Right to be forgotten. Data retention requirement can be addressed by the standard SAP ILM feature , which defines policies, rules and destruction of qualified data at end of the retention period. SAP ILM blocking and deletion functionality addresses the requirement around “Right to Be Forgotten”, which means delete the data that has fulfilled the intended purpose and when deletion is not possible for data that are required for legal/compliance, then block the data to allow the Display access by the authorized person.
2.1. SAP ILM Capabilities of GDPR
- Manage all archiving, retention and deletion policies across the enterprise
- Automate deletion of data based on policies
- Enforce retention policies required by other regulations
- Execute e-discovery and set legal holds
- Use secure ILM*-aware storage (partner offerings)
End-of-purpose check utilized as a major step towards the “right to erasure” in SAP systems
Reduced with preconfigured content and optimized IT landscapes
Lowered through reduced hardware demands and software maintenance
2.2. Data lifecycle at a Glance
The typical SAP data lifecycle space from data creation to data destruction and until End of Business, the data is active in database. The inactive data qualifies for archiving once the data surpasses the resident time and the archived data qualifies for destruction at the end of retention period.
With GDPR compliance requirement, it is mandatory to comply with the critical requirement of deletion of data that is no longer required for the given business purpose. This mandates an additional control in the system that would allow defining a status “End-of-Purpose”.
SAP ILM with enhanced feature addresses the GDRP requirement to Block and Delete the data that are no longer required in the system and has reached the End-of-Purpose.
2.3. Simplified Blocking and Deletion using SAP ILM
“ILM” Business function along with “ILM Blocking and Deletion” Business function along with relevant business function for ERP enables the following:
- Define sophisticated policies and rules for archiving, deletion and retention that incorporate requirements from multiple regulations
- Delete both personal data and any associated content such as invoices, emails, and social media content
- Setup access controls and encryption of archived data
- Reduce the cost and risk of data access and portability requests by automating data collection
- Maintain audit trails and reporting capabilities for documenting deletion of personal data
2.4. ILM Blocking and Deletion process for live data in database:
The approach to configure and use simplified blocking and deletion depicted below, if this 5 step process is followed, then the data that has reached the End of Purpose can be either deleted (if all retention requirements are met) or can be blocked if the data is required for an legal and compliance requirement.
2.4.1. End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention period defined for the data.The retention period of data consists of the following phases:
Phase one:The relevant data is actively used.
Phase two: The relevant data is actively available in the system.
Phase three: The relevant data to be retained for other reasons.
Blocking of data prevents the business users of SAP applications from displaying and using data that may include personal data and is no longer relevant for business activities.
Blocking of data can affect system behavior in the following ways:
- Display: The system does not display blocked data.
- Change: It is not possible to change a business object that contains blocked data.
- Create: It is not possible to create a business object that contains blocked data.
- Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business object that contains blocked data.
- Search: It is not possible to search for blocked data or to search for a business object using blocked data in the search criteria.
2.5. ILM Blocking and Deletion process of data in archive:
Similar to that on blocking and deletion of the data in the database; Blocking of archived data (after end-of-business) is possible if there is a request from data subject to delete the data and destruction of data is not possible due to legal requirement by enabling blocking functionality and additional authorization control at the retention rule. Only authorized users can display the data in archive that is blocked.
SAP ILM is the solution to address the critical requirement around Lawful processing and comply with the individual rights for the personal and special personal data.
In addition, on broader perspective, though there is no single solution from SAP to address all compliance requirement, SAP customers can achieve GDPR compliance by using the various SAP data management and compliance/Security products.
2122906 – ILM: List of ILM objects with assigned archiving/data destruction objects
2007926 – Simplified Blocking and Deletion of Customer / Vendor Master Data
1825608 – Simplified Blocking and Deletion of Central Business Partner
2167473 – User-specific locking of display of archived personal data