Configure information lifecycle for data privacy management in SAP Business ByDesign Cloud ERP
With 1911 release of SAP Business ByDesign Cloud ERP we introduce a new dimension to manage data privacy and the lifecycle of all data in your ERP system. To configure the information lifecycle based data privacy management you need to do the following:
- Business Configuration: Activate scoping element “Information Lifecycle Management”
- Business Configuration: Double check that you have activated the scoping question “Read Access Logging” under Security/System Management (this is unchanged but has been moved to the ILM work center)
- Business Configuration: Configure the new retention periods for business documents
- Assign information lifecycle management work center to the administrator or data privacy officer
- Double check that you have activated the read access log field groups (this is unchanged but has been moved to the ILM work center)
- Activate the document lifecycle KPIs for the data privacy officer or other users
- Data Disclosure: Configure personal data disclosure
- Frequently asked questions
Below you find detailed steps and screenshots on how to do this and a section with FAQs.
1. Activate scoping element “Information Lifecycle Management” (ILM)
The steps to activate ILM are:
- Go into business configuration.
- Open implementation project scoping
- Open System Management.
- Activate Information Lifecycle Management
2. Activate scoping question “Read Access Logging”
Read access logging can be activated as follows:
- Go to questions in business configuration
- Select Security under System Management
- Activate Read Access Logging
- Review and finish configuration in step 5
3. Configure retention periods for business documents
Retention period configuration can be done with the following steps:
- Go to overview in business configuration work center
- Search for “retention periods” and open the configuration
- Open the pre-defined retention groups and the assigned rules, set the periods for residence and retention
- Consider to create custom groups and to move rules into the new group
- Consider to create specific retention periods for certain companies
4. Assign ILM Work Center to the DPO
To give the data privacy officer access to the ILM work center do the following:
- Go to Access and User Management work center and select the data privacy user
- Select the Information Lifecycle Management entry
- Activate all views
- Save and log-on with the DPO user
5. Activate Read Access Log Field Groups
Logon as DPO:
- Go to Information Lifecycle Management work center
- Go to Read Access Field Group Configuration
- Activate the needed fields and generate the configuration
6. Activate Document Lifecycle KPIs for DPO
Logon as DPO or any other user which shall get access to the figures:
- Go to My Launchpad
- Go to personalization
- Open KPI and select the document volume related KPI
7. Personal data disclosure configuration
ByDesign offers multiple layers to configure which data shall be disclosed to natural persons and which not. In a nutshell SAP Business ByDesign enables you to:
- Disclose all data which has been stored about natural persons
- Use multiple levels of granularity and details for data disclosure
- Configure which data shall be exposed to the natural person and which not.
The following demo shows how to do this:
Personal data disclosure overview:
Personal data disclosure details (including configuration of default view):
8. Frequently Asked Questions for Information Lifecycle Management
- What is the difference between residence and retention period?
The residence period determines by when documents get set to read-only. The retention period determines for how long the data needs to stay in the system. That means only after retention period is over data might be deleted.
- What is process retention status and how does it influence for how long a document needs to stay in the system?
Documents which are part of a process chain might still be needed to finish the process. Resulting from this the document retention for a document might be already over but it still cannot be deleted as the process retention is not yet over. The process retention is determined by the last document in the process chain.
- Which documents are considered in the analysis run?
The analysis run only considers the documents created until the day before it is executed. Of course documents which are created at the same day will be considered in the next analysis run automatically. In general the analysis run should be scheduled in a meaningful periodicity e.g. once a week depending on the volume of data you have in the system. 5 mio documents can be considered as low volume.
- Q&A How do the configuration groups relate to the data retention and residence periods