In May 2018 the European Union enforced the laws on data privacy to protect its citizens in an environment which is increasingly based upon information and data. Following the media around topics like General Data Protection Regulation (GDPR) there are examples of major technology and social media companies who already were in the situation to justify and transparently disclose their usage and retention policies of personal data to European authorities.
SAP BW/4HANA as the strategic solution for Enterprise Data Warehousing of course may persist data in general to support customers establishing a single point of truth and a companywide consistent corporate memory as a basis for any kind of analytics. Thus, data protection and privacy are key in SAP BW/4HANA.
Key capabilities to support our customers here are:
- a flexible and granular concept of Analysis Authorizations being able to authorize the access of each individual consuming data from SAP BW/4HANA
- Read Access Logging (RAL) to log access to data which was identified as sensible and to recognize violation of data protection regulations
- functionalities to selectively delete personal data from all relevant tata targets including master data objects
- ‘Where-used’ list to securely identify all data targets containing sensible data to be deleted
All those functionalities support SAP BW/4HANA customers to handle sensible data (see also security guide SAP BW/4HANA). With SAP BW/4HANA 2.0 a new toolbox is introduced – the Data Protection Workbench.
From a SAP source system perspective there is already a powerful and integrated solution available to orchestrate archiving and deletion processes for sensible data which is SAP ILM. Releasing SAP BW/4HANA 2.0 a missing piece to integrate SAP BW/4HANA and SAP ILM has been shipped in a way that whenever sensible bits of data are deleted in a SAP source system, SAP BW/4HANA 2.0 Administrators will be informed and can trigger corresponding deletion activities.
The Data Protection Workbench exactly provides such capabilities and is an integrated solution to consistently delete replicated data from supported operational SAP source systems to reduce administration effort providing a modern UI seamlessly integrated in Administration Cockpit.
Let’s take a closer look at the process behind the Data Protection Workbench to get a better understanding how it works focusing on SAP BW/4HANA.
The Data Protection Workbench – behind the scenes
All objects which are needed to configure and operate the Data Protection Workbench in SAP BW/4HANA are shipped first as part of the technical content of SAP/4HANA 2.0.
I do not want to dive too deep in the configuration on source system side and SAP ILM. However, two main steps need to be considered:
- On the SAP source system side, the characteristics containing sensible data need to be identified and corresponding ILM objects must be created (e.g. CUSTOMER).
- The ILM objects need to be assigned to the BW DataSources containing those characteristics. hence, they might replicate sensible data into SAP BW/4HANA.
Doing so, the Data Protection Workbench in SAP BW/4HANA can resolve the complete data flows (starting from the DataSources) and display them graphically for much better orientation and transparency when it comes to deletion of the data.
Having successfully configured SAP ILM for a given characteristic, a so called ‘notification’ will be generated for each characteristic value which has been deleted. Those notifications are collected and persisted centrally and can be extracted with a SAP BW/4HANA DataSource which comes along as a part of the technical content of the Data Protection Worbench.
In SAP BW/4HANA there are basically two advanced DSOs where the incoming notifications are consumed. In the first ADSO (technical name: 0DPPNOT_I) all notifications from the source system are stored. This data can be replicated to the second ADSO (technical name: 0DPPNOT_R) which is the basis for the Data Protection Workbench. In this ADSO only those notifications are propagated where the corresponding DataSources replicate data for the given characteristic value to SAP BW/4HANA.
The Data Protection Workbench – look and feel
The Data Protection Workbench has its own section in the SAP BW/4HANA Administration Cockpit.
From here you can directly access the notifications (right tile) which already have been replicated to SAP BW/4HANA. The first tile represents the worklists already created. Worklists can flexibly be created to group and organize similar notifications for a joint processing.
Before being able to sequentially delete the sensible data from its data targets a new worklist must be created:
To create a new worklist the corresponding notifications must be selected which should be part of it:
Having selected the notifications, the worklist can be saved and used just by opening the list from the overview. Based upon the association of ILM Object and DataSource(s) the Data Protection Workbench resolves the complete dataflow(s) and displays them graphically for better orientation and transparency.
There are different actions which can be performed on each InfoProvider. For example, Logs can be displayed to resolve possible errors from former deletion jobs. Behind the ‘Actions’ Button there are multiple functionalities which can be executed:
- Determine Keys: Should be executed before selective deletion to process possible calculations the values might have gone through during a Transformation on the way to SAP BW/4HANA.
- Show records: Displays records which are going to be deleted
- Perform Selective Deletion: Selectively deletes the data in the given InfoProvider
- Perform Selective Deletion with Propagation: Selectively deletes the data in the given InfoProvider and propagates deletion in succeeding InfoProviders.
- Mark as complete: Is just a manual status which can be set by the Administrator to indicate the current processing status. This status can also be set for a complete worklist.
Finally, the Data Protection Workbench which has been shipped in its first version with SAP BW/4HANA 2.0 end of February 2019 is a huge step forward supporting our customers to be compliant with regulations around Data Protection and Privacy regulations. There are plans to downport this functionality to the latest SAP BW 7.5 releases after launching it with SAP BW/4HANA 2.0.