Discuss business intelligence, integration, compliance and a host of other SAP-related topics – implementation, best practices and resources to negotiate the world of SAP better!


January 3, 2020


What is GDPR ?

GDPR is an acronym for General Data Protection Regulation (EU) 2016/679 which was adopted / accepted on 14th April 2016 but came into existence on 25th May 2018. It is a new framework devised for protecting data and privacy laws. GDPR is designed to streamline & strengthen laws that protect personal information of individuals. The new regulation supersedes the Data Protection Directive 95/46/e which was enforced since 24th Oct 1998.

Where is GDRP applicable AND Which region / individuals does it apply to ?

It is important to note GDPR is a European Union (EU) Regulation. It is a legal framework with a set of guiding principles to collect and process personal data of individuals in EU. Organizations that collect, store, control, process personal data within an EU country need to be GDPR compliant as a mandate. In addition, organizations located outside EU must be particularly cautious and ensure they do not violate this regulation. In case such organizations collect and process personal data of EU residents, they too need to be GDPR compliant. The location of the organization does not safeguard it from facing the consequences of non-compliance. The regulation is applicable if an organization is based outside EU but personal data of EU residents is collected.

Organizations located within EU will have a major impact in all likelihood as compared to other countries as EU organizations are more likely to process data related EU individuals.

What kind of data / information does GRPR apply to ?

GDPR applies to personal data including special category of sensitive personal data.

Per Article 4 of GDRP: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In simple words, it means any data that leads to identification of a natural living person. It does not apply to a non-living person.

It is to be noted that if any organization indulges in processing of data concerning personal data only then the General Data Protection Regulation is applicable. Personal data can be any information related to an identifiable person. The person should be identifiable directly or indirectly via above identifiers such as name, location etc., or can also be in combination of data like age, date of birth, height, weight, salary, company, bank account number, credit card number etc.

In addition to above, one should specifically consider a category called as special categories of personal data (or sensitive personal data) as they are particularly relevant. This type of personal data in particular is subject to a higher level of protection and should not be collected without explicit consent or exceptions. These furthermore include personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or philosophical beliefs, or trade union membership, as well as medical & health data, genetic, biometric data.

Penalties if Non-Compliant on GDPR :

As per the new regulation when a data breach is detected, the concerned organization is required to inform all affected people and respective supervisory authority within 72 hours of the data breach. For this the organization should ensure they have a robust detection & investigation process in place to capture any breaches on data front. In addition, the organization is also needed to keep a record of data breaches in the past for reference purpose.

Organizations will need to audit their data and verify that the methods of collecting, processing, and storage - as well as the nature of the data itself - are GDPR compliant. Organization who fail to comply with GDPR will have to pay a maximum fine of €20 million, or 4% of annual global turnover, whichever is higher. Compliance is, therefore, a very important aspect in any organizations that process personal data.

What is SAP ILM ?

Per SAP, ILM (Information Lifecycle Management) enhances the SAP standard delivery with the ability to manage the lifecycle of live and archived data based on rules. SAP ILM uses ILM-specific, enhanced data archiving functions.

Typical Features

    · Lifecycle Management of data with the following Retention Management functions:

   a) Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their application to live and archived data.

   b) Putting legal holds on data that is relevant for legal cases in order to prevent early destruction.

   c) Destroying data while taking legal requirements and legal holds into account.


    · Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)


ILM is available as a business function in SAP NetWeaver based systems like ECC (prerequisite is NW 7.0, EhP 1). It can be activated via switch framework depending on organizations contractual agreement with SAP as it could incur additional licensing cost.



The three main building blocks of SAP ILM are

1) Data Archiving              2) Retention Management          3) System Decommissioning

ILM 1.jpg


1) Data Archiving: Data archiving is the core of SAP ILM, this classical function has been available in SAP since a long time. Data that is not needed on regular basis and no longer be changed is archived in files.

2) Retention Management: With retention management you can define and control duration, periods for which data can be retained in the system as per legal, contractual policies. You need to identify the audit areas, policies and rules to retain data.


3) System Decommissioning:  With this option you can decommission legacy systems by moving legacy data to ILM Retention Warehouse or delete data no longer to be retained. Based on legal and contractual law expiration, the data can be deleted. Stored data can be retained from ILM retention warehouse for any future purpose like audits.

Personal Data lifecycle - Definitions :

ILM 2 update.jpg

Processing -  operation carried out on existing data within the system to extract & obtain further meaningful information

Blocking - prevent access to data post processing as data is no longer operated on. In this case data is blocked as it needs

to be retained due to legal or contractual or statutory compulsion.

Deletion - erase the data as it is no longer to be retained / restored in the system.


End of Business - marks the start of retention period

End of Purpose - a point in time at which data is no longer processed in the system

End of Retention - a point in time at which data is no longer needed to be retained in the system and marks the start of

deletion period.


Personal data which is no longer required by the organization should be blocked and retained for legal or contractual purpose. Further if there is no need to retain from legal or contractual obligations, the personal data must be deleted from the system.

How are SAP ILM and GDPR related ?

SAP ILM acts as a key enabler for GDPR as it can identify personal data to be retained in the system and data to be deleted. ILM is the key element to define data retention rules depending on GDPR.


With SAP ILM, the necessary functions like blocking and deletion addresses GDPR's requirement. It will ensure personal data is not stored or processed post the original purpose has ended.


Data Management with respect to GDPR has two main requirements: Data Retention & Right to be forgotten. Both are addressed via SAP ILM i.e. via standard SAP ILM function and SAP ILM blocking and deletion functionality. This means blocking of data by providing display access when data is to be retained in the system for legal & compliance matters (data should not be deleted), or delete the data when it has fulfilled all purposes.


Hence to conclude SAP ILM provides the solution to address requirements & obligations around data processing and safeguards individual rights for personal data.

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter

Recent Posts