GDPR | What is SAP ILM and why is it important for data retention GDPR compliance? Why not use SAP GRC?

For GDPR should we use SAP ILM or SAP GRC - How different are these tools with respect to GDPR? What is the best approach?

  1. SAP Information-Lifecycle-Management or "SAP ILM" is a key component for defining the organisational data retention GDPR rules – it is an essential enabler for the the GDPR, since the data controllers manage what personal data must be kept in SAP systems, and what needs to be discarded in order to comply with multiple regulations.
  2. SAP Governance, Risk and Compliance or "SAP GRC" allows you to oversee the company’s privacy management program using multiple features of the suite, such as access controls, process controls and risk management. It is explained well in this blog, implementing data protection impact assessments and this blog.

Blocking and Deletion of Personal Data According to data Retention GDPR Rule

One of the most impactful rights defined by the GDPR is the blocking and deletion of personal data that is no longer required within the purpose defined for the processing. According to the data retention GDPR rule, personal data must be deleted after the primary purpose of the processing has ended. If the data must be retained to comply with data retention GDPR periods required by other legislation — such as tax legislation — access to it must be blocked or restricted, and it must be kept only for the duration of the longest legal retention period, after which it must be deleted as stated in GDPR.

To help with this task, as of SAP NetWeaver 7.40, SAP Business Suite applications provide simplified blocking and deletion functionality that is based on SAP Information Lifecycle Management (SAP ILM).

All SAP Business Suite applications include required SAP ILM objects that enable the transfer of data to an archive, which fulfills the blocking requirement in GDPR. In addition, all SAP Business Suite applications support the “end of purpose” check, also based on SAP ILM, that is triggered from central personal master data sets, such as central business partner, customer, and vendor master data. With this check enabled, all applications registered with a central personal master data set are triggered to check whether they still need that data — if no longer needed, the data is marked as blocked and access is restricted.

Natuvion implemented early versions of ILM as a solution for data retention GDPR and based on this experience has founded the first "Competence Center".

To get a better feel of what the typical phases of an ILM implementation for GDPR may look like see below or contact us at directly for more information.