Let’s quickly recap on the key changes that come with GDPR related to personal data processing and storage. Where there is referred to the “data subject” this is the person of whom personnel data is stored/processed, the “data controller” is the company storing/processing the data.
- Breach Notification; breach notification will become mandatory in case a data breach is likely to “result in a risk for the rights and freedoms of individuals”
- Right to Access; the right for data subjects to obtain from the data controller a confirmation as to whether or not personal data concerning them is being processed, where and for what purpose
- Right to be Forgotten; the data subject has the right to have the data controller erase his/her personal data, cease further processing of the data, and potentially have third parties halt processing of the data as well.
- Data Portability; the right for a data subject to receive the personal data concerning them, which they have previously provided, in a “commonly use and machine-readable format” and have the right to transmit that data to another controller.
- Privacy by Design; privacy by design calls for the inclusion of data protection as part of system design, rather than an addition later on.
- Data Protection Officers; will be mandatory if a company carries out large scale systematic monitoring of individuals (for example, online behaviour tracking) or if a company carries out large scale processing of special categories of data or data relating to criminal convictions and offences.
My colleague Jelle Uenk wrote a blog on GDPR functionality in SAP C4C and referred to SAP ILM as the GDPR tool for on-premise SAP solutions. This is true and to make it more specific; SAP ILM provides functionality to implement point number 3 in the above list which is related to the “Right to be Forgotten”. To put it in the words of SAP: “SAP ILM enhances the SAP standard delivery with the ability to manage the lifecycle of live and archived data based on rules. SAP ILM uses ILM-specific, enhanced data archiving functions”.
SAP ILM is not a separate SAP system, it’s available as a business function (“ILM”) which can be activated via the switch framework (transaction SFW5) and is available in SAP NetWeaver based systems like SAP ECC and SAP CRM. It depends on your contractual agreements with SAP whether or not there are additional license costs applicable. So before activating the business function get in touch with your contact person at SAP if this is the case for your company. Once activated, on top of the default archiving functions the ILM functionality is made available. The 3 main pillars of SAP ILM are displayed in below figure; these are Data Archiving, Retention Management and System Decommissioning.
Data archiving is the cornerstone of SAP ILM and focusses mainly on data volume management, it consists of the classical archiving functions which have been available in SAP systems for many years. With SAP ILM these classical functions have been enhanced to allow for integration with the two other cornerstones; Retention management and System decommissioning. With retention management tools and functions come available to manage the lifecycle of the data, from the time the data is created until it has to be destroyed based on legal requirements or other retention policies. System decommissioning focusses on the end-of-live system scenario’s, it allows you to extract data form the legacy system, import it into a storage and to report on it.
What separates SAP ILM from the classical SAP archiving functions is Retention Management, this is also the functionality which relates most to GDPR because it will allow you to the erase personal data based on retention rules.
With retention management you can control periods for the retention of archived data in adherence to legal requirements. First you maintain the audit area’s and policies, the rules are assigned to the policy and these are taken into account during data archiving.
From a business perspective an audit area is the scope and reason for an audit, for example tax or product liability. From a technical point of view an audit area contains and covers all data types needed for that audit, for example a list of necessary object types that are assigned to the audit area, as well as relevant structures, tables, and fields. To the audit area’s, objects like FI_ACCOUNT (Account master data) and FI_DOCUMNT (Financial Accounting Document) are assigned and on the lowest level the relevant structures and fields are linked.
With transaction IRMPOL you can maintain policies and assign rules to them. You define the conditions to which the data should adhere, these could be for example company code or sales organization (depending on the object you’re working with). As part of the rule you define the minimum and maximum retention time and the “time reference”. This last one is important as well because with this setting you define from which point in time the retention time should be determined (e.g. creation date, last change date, end of (creation) year etc).
Once an archiving run is started, the rules are taken into consideration and an expiration date is calculated for each data object in the archiving run. In the past, when you archived your data, you needed to carefully determine the selection criteria for archiving. Now, the data is selected and even routed automatically based on the rules you set up. If necessary, you can set legal holds on the data so deletion is not performed as long as the legal hold is set (needed in case of legal obligations). You can destroy data on which there is no legal hold and whose retention period has expired.
GDPR and SAP ILM
Reading the above might raise the question “ok, but how does this exactly relate to GDPR”. As mentioned in the introduction, SAP ILM provides the functionality to make sure personal data is not stored and processed after the original purpose has ended. Once a product is ordered, delivered and paid, there might be a period in which you could still need access to the data for example until the warranty period has ended. The end of this period is the end of purpose and from this moment on, only if other (legal) retention periods apply it’s allowed to store the data. In this period the data can be blocked so it’s only accessible by authorized users, when this period ends the data get’s destroyed/deleted.
This scenario is supported by SAP ILM with retention rules and blocking features that can be registered as part of the retention rules. As a result, once an object is in the retention period, the archived data is blocked and only available for authorised users. Once the retention period is over, SAP ILM provides the option to physically remove (destroy) the archive file. SAP ILM provides an option to setup rules for access to data in the period between End of Business and End of Purpose as well; these are “residence rules” which can be maintained with via transaction IRMPOL.
May 25th 2018, the GDPR due date, is coming closer and closer! If you would like to know what GDPR means for your organization or would like to get more information on GDPR and SAP ILM, get in touch with us or take a look at our website http://www.acorel.nl/gdpr for more information.