Why You Need a SAP GDPR Data Destruction Process in Place

Tuesday, June 13th, 2017


The General Data Protection Regulation (GDPR) marks a significant change in data laws—one that will heavily impact how businesses use and process the personal information of any EU resident. As an SAP user, SAP GDPR compliance should already be a key priority, especially as there is little under a year to go until all businesses affected by the GDPR need to comply with its legislation. One key change to the GDPR, the right to be forgotten, means that an SAP GDPR data destruction process is required in order to comply with the new law.


The right to be forgotten entitles individuals to request that their personal data be erased and no longer processed

The right to be forgotten, also known as data erasure, will become a new component of the GDPR. Under this clause, an individual has the right to request that any personal information is deleted by data controllers processing it. They also have to right to demand that their data be no longer disseminated or processed by third parties. Individuals can exercise this right by either withdrawing consent, or if their data is no longer required for the original purposes of processing.

Your business needs an SAP GDPR data destruction process in place not only to fulfil an individual’s right to erasure and comply with data law, but also to correctly remove data once its retention period comes to an end.


The financial consequences of failing to carry out data destruction in line with the GDPR are considerable

Without an SAP GDPR data management and destruction process in place, your business could struggle to comply with the GDPR. Failure to do so can result in fines of up to 4% of annual turnover or €20 million (whichever value is highest). This poses an enormous financial and reputational threat to your business (as well as any cloud server that stores personal data on your behalf), not to mention the downtime involved in rectifying the consequences of a botched data destruction attempt.


The best data destruction processes involve managing data from the moment of capture up until it is erased

Before you can delete data, you need to know what data you have and where it lies: managing the data destruction process isn’t just about ensuring that you comply with SAP GDPR regulations at the point of deletion, but managing data across its entire lifecycle—from capture to erasure. SAP information lifecycle management (ILM) is one method of managing data that involves tagging personal information across multiple environments to expedite data archiving and data deletion. Information Steward is another data profiling and metadata management tool used to locate personal data across SAP and non-SAP systems.

The most effective way to guarantee GDPR compliance and put the correct data removal processes in place is to enlist the help of an expert with experience navigating complex data laws. For more information on GDPR data management strategies and best practices, contact us