Tuesday, February 7th, 2017

The GDPR comes into effect on 25 May 2018 and companies have until then to become GDPR compliant.  SAP system users should be interested in what needs to be done to apply the new EU data privacy laws to your SAP systems, in particular how to handle your SAP data in accord.

The risks of non-compliance with EU GDPR

Not complying with the EU GDPR (General Data Protection Regulation) leads to significant fines and compliance risks. The EU created two tiers of maximum fines for companies violating the GDPR.  The higher fine threshold is 4% of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is 2% of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.

What is considered privacy relevant information?

There are many elements of personal information.

Some examples are name, gender, age, date of birth, marital status, citizenship, languages spoken, veteran status, disabled status, IP address (some jurisdictions), business and personal addresses, phone numbers, email addresses, internal identification numbers, credit card and bank account numbers, government issued identification numbers (social security, drivers license numbers, etc.) and identity verification information, etc.

It is important to remember business data elements can be considered personal information as well.

“Personal data” is defined as “any information relating to an identified or identifiable natural person”

Introduction of SAP ILM

The life cycle of information (put under corporate control) can be managed with SAP Information Life-cycle Management (ILM).   SAP ILM is currently the only SAP tool to manage the life cycle of SAP data in a controlled manner using records management & retention policies.

Data destruction objects
For the controlled destruction of privacy relevant SAP data and documents, SAP ILM offers so-called data destruction objects. Alone in SAP module HCM we find in excess of a 100 data destruction objects, and the SAP HCM data destruction objects can (in most of the cases) be used without additional SAP license implications.

Data destruction in SAP
Based on the defined retention rules in SAP ILM it is possible to comply with the GDPR rule to destroy privacy relevant SAP data in a controlled way.

Should you require any guidance on your SAP GDPR strategy do not hesitate contacting us, we are happy to assist.

Proceed Group – The SAP Data Management Specialists