Archiving in compliance with data protection is one of the main challenges for any company. One thing should be clear to decision makers no later than since the introduction of the European General Data Protection Regulation (EU-GDPR) at the end of May 2018: if the GDPR requirements are not met, there is a risk of severe sanctions. For especially serious violations, the fines are up to 20 million Euros or, in the case of a company, up to 4% of the total worldwide revenues in the previous business year, depending on which is greater. In other words, when it comes to the EU-GDPR, there is an urgent need for compliance.
SAP has reacted quickly to the situation with SAP ILM (Information Lifecycle Management); EASY SOFTWARE has done the same with WebDAV for ILM – a simple to manage interface between EASY Archive and SAP ILM. With that, nothing stands in the way of GDPR-compliant archiving with EASY Archive in combination with SAP systems and SAP ILM.
As easy as the EASY WebDAV for ILM interface can be administrated, the concrete use of EASY for SAP, SAP ILM as well as EASY WebDAV for ILM and EASY Archive in the context of the EU-DSGVO is so complex.
EU-GDPR – what is considered worth protecting?
To put it briefly in advance, the data protection regulation controls and regulates the handling of personal data and their processing. But what do “personal data” and “their processing” mean in this context?
Personal data and their processing – a brief explanation
According to Article 4 of the EU-GDPR, personal identifiers are any information which can be used to identify a natural person directly or indirectly. Accordingly, personal data are any
“(…) information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The passage on processing in the GDPR is also very broad and states:
“(…) any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
It is obvious, particularly in companies, that data in the sense of the characteristics just mentioned are not only present, but also processes. Just think about the human resources department which manages digital processes with SAP HCM. A closer look and care are in order.
Working in compliance with the GDPR with SAP ILM – information lifecycle management
The lifecycle of personal data must be controllable. And this is exactly where SAP Information Lifecycle Management (SAP ILM) comes in to play. SAP ILM adds the ability to manage the lifecycle of productive and archived data and documents using ILM rules to the SAP standard delivery.
Thus, SAP ILM provides the means and methods for handling information in the company in accord with the GDPR. Data processing systems must be made able to do the following with information with personal characteristics
- Provide an expiration date
Good examples of this sort of ILM properties are deletion orders or a date of expiration. EASY Archive combined with EASY for WebDAV ILM meets these SAP-ILM requirements. Through the interaction of the latter two systems with EASY for SAP, we make possible an ILM-capable storage system which ensures that archive data are securely retained until the expiration date. Blocking and ultimate deletion of archived data is carried out automatically.
How can SAP ILM and EASY for WebDAV ILM help you to comply with the requirements of the GDPR?
WebDAV for ILM, Information Lifecycle Management and GDPR: Blocking data
Of course, the data protection perspective is just one of many which are relevant for companies. For example, business and tax law requirements regulate retention periods and demand the archiving of business documents. This sort of mass data may be stored in an archive system simply for reasons of performance. With EASY WebDAV for ILM, this kind of data can be transferred to EASY Archive – and also automatically deleted following the end of the retention period if desired, for example. The prerequisite is that the data records in question do not contain any personal characteristics as defined by the GDPR. But what if exactly the opposite is true?
Now, two requirements must be unified: data protection and retention obligations. In other words, a compromise must be found in the processing of personal data in the context of the purpose. The usual procedure with EASY WebDAV for ILM at this point is to block the personal data. Access to the data records of this kind is then protected – until the end of the retention period is reached. EASY WebDAV for ILM implements these ILM rules from the SAP Information Management System and passes them on to the EASY Archive.
SAP ILM and GDPR: Deleting data
Nothing lasts forever – and at some point legal or contractual retention obligations come to an end. According to the EU-GDPR, this represents the moment at which personal data must be deleted.
An explanation through an example: companies are encouraged to destroy accounting documents after a period of ten years. As soon as the expiration date is reached, the deletion orders are issued from SAP ILM, transmitted to EASY WebDAV for ILM and executed in the EASY Archive.
On the safe side with EASY WebDAV for ILM
As easily as the EASY WebDAV for ILM interface can be administered, so complex is the specific use of EASY for SAP, SAP ILM as well as EASY WebDAV for ILM and EASY Archive in the context of the EU-GDPR. An integral understanding of the subject is urgently necessary. The webcast “SAP ILM – finally archive GDPR-compliant with EASY WebDAV for ILM”, which will take place on November 27, 2018, offers an advanced overview.