The introduction of the General Data Protection Regulation (GDPR) has posed major challenges for businesses. After all, the EU regulation stipulates that all data processed and stored in an organization must meet high data protection requirements. The complex effects of the GDPR become clear when a more precise record is made of where personal data is generated and used throughout a company: the spectrum ranges from HR and accounting to marketing and customer service.
The GDPR obliges companies to ensure that personal data is only used within narrow limits and deleted after certain periods across all processes. In concrete terms, this means you have to precisely define which employee in a process may have which access to certain personal data and for how long.
The second challenge in complying with GDPR relates to organizing the right to information that every customer has towards a company according to article 15 GDPR. Pursuant to this provision, an organization must disclose to a customer all personal data and metadata stored about the data subject if such information is requested.
Finally, the third challenge in implementing the GDPR is that companies must of course continue to comply with statutory retention periods for a wide variety of documents when handling personal data, such as those arising from tax, commercial or HR law.
The good news for businesses is that SAP® provides a solution in its ERP system with Information Lifecycle Management (SAP ILM), supporting organizations in this new data challenge. In this blog post, we’ll show you how best to proceed so you can move ahead confidently when it comes to all things GDPR.
One of the decisive factors for the success of a compliance project such as implementing GDPR in corporate processes is support from the management board. To this end, management must be made aware at an early stage of the risks that threaten poor implementation. After all, anyone who handles their customers’ data negligently will face severe financial penalties and lose the trust of their customers, ultimately leading to reduced revenue. Managers must see the strategic importance of a GDPR project for their business, actively support it and free up the corresponding resources: budget, time and man-hours.
SAP ILM is already included in the standard SAP package and offers companies the option of creating rules to archive and delete data according to certain specifications. However, implementing SAP ILM is not done by simply activating the feature in the software and setting it up in an automated basic variant.
Rather, SAP ILM requires incredibly detailed implementation to ensure that all processes in your company are really covered while complying with the entire legal framework. That’s why it’s essential to implement every SAP ILM project in a very targeted manner. There are two stages in the process:
Many companies try to outsource responsibility for SAP ILM to one area or person in the company so that the process remains as lean and clear as possible. In our experience, however, this approach is not effective because the topic is too complex for this and affects too many areas in the business. For this reason, we recommend you first ask which departments are affected by GDPR requirements and involve one employee from each of these departments in the project planning. The data protection officer should play a special role in this.
In the second step, those involved in their departments must identify all relevant documents, data, programs and processes. The decisive question here is: where is data collected for which you have to devise deletion or blocking rules? For this purpose, it’s helpful to group the data into different categories such as customer data, usage data and contact data.
In the third step, you have to collect the correct retention periods and deletion requirements for all data. To do this, you should describe as comprehensively as possible which retention obligations apply and in which departments and processes data and documents are handled in the company. For example, you can find important information for your organization in the German Fiscal Code, the GoBD guidelines, the German Commercial Code, and possibly from your trade association.
In the fourth step, you need to summarize and structure all the information in order to generate concrete blocking and deletion concepts. To do this, you may find it helpful to follow the trail of data through the entire company with the data protection officer and employees from the departments concerned and to record it in detail. The ultimate goal is to have a record of all the different media that contain personal data. For example, these include invoices, database entries, paper receipts, certificates, order confirmations, delivery bills, cover letters or resumes.
The actual blocking and deletion concept can be very well created in tabular form. It should specify for each object which information should be blocked or deleted in which process, which blocking and deletion periods apply, and on what legal basis they’re founded.
Alongside developing blocking and deletion concepts, you should also analyze your IT infrastructure from a GDPR perspective. The aim here is to find out:
The purpose of this measure is to gain control over the entire data flow that is relevant for SAP ILM.
Once you’ve defined the project scope and determined what is captured and how, you can activate SAP ILM in your SAP system. You then finalize the project by setting up an ILM policy for each relevant object. This means that you use the policy in SAP ILM to define exactly which attributes apply to archiving and deletion for each object. Predefined policy categories are used to determine which retention and residence rules, e.g. to comply with legal hold requirements, apply to an object in the database.
Finally, create the authorization concept. It should be created as a matrix and serves to link employee groups and data. The authorization concept defines who is allowed to access what and when in the system. For this purpose, fixed access rules, processes and roles are defined, which make the handling of data GDPR-compliant.
Let yourself be guided by the “need-to-know” principle, which specifies the principle of purpose limitation when handling personal data in article 32 GDPR under the heading “Security of processing”. It states that each employee in the company may only access the data that they absolutely need for their project. A written or digital document is created from the authorization concept after implementation, as required by the legal obligation to produce proof in the GDPR.
The GDPR places high demands on data protection in companies. With SAP ILM, organizations have an effective tool at hand to implement these guidelines in a sustainable manner. However, implementing a SAP ILM project is not the way to sure-fire success; it requires precise organizational and technical planning.
At the same time, the topic of data archiving in companies is becoming even more important with SAP ILM. In this context, implementing SAP ILM promotes the sustainable handling of structured data, acting as a milestone in digitalizing the lifecycle management of your documents. EASY WebDAV for SAP ILM provides you with a certified interface to connect SAP ILM precisely to your EASY archive system. This connection provides you with ILM-capable storage for archive data, helping to ensure your data protection and data archiving are future-proof.
Good to know: EASY SOFTWARE not only provides the interface solution EASY WebDAV for SAP ILM. Our experts also work with you to implement the entire SAP ILM project, and support you from project start to your successful implementation.