Are you confused about how you can handle personal data from an SAP GDPR perspective at the end of its retention period with an on-premise SAP system?
We have heard from our customers, solicitors and consultants that it will be OK to mask, scramble or anonymise the data in some form, BUT you do not have to delete it?
In order to clarify this we have had a conversation with the Information Commissioner Office (ICO) and it is very clear, if you can delete the data then you must do so!
The ICO pointed to Principle 5 – Retaining personal data on the ICO website.
There is also a PDF produced by the ICO on personal data destruction which you can download here.
Therefore for on-premise SAP systems the only consistent way of deleting and blocking personal data is to use SAP ILM for both structured and unstructured data which will produce an audit trail of what has been done which will be required by the ICO under any investigation.
We hope you have found this information useful. If you require any assistance on how to use SAP ILM to help you with GDPR compliance please do not hesitate to contact us