GDPR – Simplified Blocking and Deletion with

SAP Information Lifecycle Management

Part 2: When and how to block data?
Iwona Luther, SAP SE
PUBLIC
Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.
Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service
or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related
document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this
presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP
assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross
negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Personal Disclaimer

SAP does not provide legal advice, nor does the presenter.

The implementation of data protection requirements at any data controller is a complex challenge with
interdependent legal and technical aspects. The responsibility to identify and implement adequate technical
features remains with the controller as for the organizational aspects.

The following presentation is only about technical features which might in that sense help a controller
achieving compliance with data protection regulations.

To help the audience understanding the shown approach, in context information is given without claiming
completeness or correctness.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Agenda
Introduction

Case 1: Master data without transactional data

▪ How to block master data
▪ How to destroy master data

Case 2: Master data with transactional data in one fiscal year only
▪ How to block master data
▪ How to destroy master data
▪ How to block transactional data
▪ How to destroy transactional data

Case 3: Master data with transactional data in several fiscal years

▪ How to block master data
▪ How to destroy master data
▪ How to block transactional data
▪ How to destroy transactional data

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Rights of the data subject
Legal basis

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

Case 1: Master data without transactional data
How to block master data
Case 1: Master data without transactional data 1/2
How to block master data
➢ How to block master data?
- Example: Customer has created an account but has never bought a product
- You need ILM for the residence rules (RST) for master data. In detail: you need a
residence rule for the application name that corresponds to the master data in question
(for example ERP_CUST in case of a customer).
- This rule defines when you will block a master data (vendor, customer or a business
partner) if:
- there never was a business with him, or
- you have changed his master data.

Note: in the context of “Simplified blocking and deletion with SAP ILM”, we only
consider the central business partner, customer, vendor and the contact
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
person as master data 7
Case 1: Master data without transactional data 2/2
Blocking Business Partner / Customer & Vendor Master Data

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Case 1: Master data without transactional data
How to destroy master data
Case 1: Master data without transactional data 1/2
How to destroy master data
➢ How to destroy master data?
- You need ILM for the retention rules (RTP) for this master data.
- Note: there are no specific retention rules as there was no business with this master data
(customer, vendor, business partner). This means, as soon as the master data has been
blocked, it shall be also destroyed. (Blocking of master data is a prerequisite for its
destruction)
- The length of the residence period and the retention period are identical!

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Case 1: Master data without transactional data 2/2
How to destroy master data
➢ You need ILM for the retention rules (RTP) in order to destroy this master data.

- For this you shall use one of the following 2 functions:

- the Data Destruction Object (transaction ILM_DESTRUCTION), or
- the ILM Action Data Destruction of an archiving object‘s write phase (Transaction SARA)
- Note: we do not recommend to archive blocked master data

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Case 2: Master data with transactional data in
one fiscal year only
How to block master data
Case 2: Master data with transactional data in one fiscal year only
How to block master data 1/3
Example: the customer has bought something only in one fiscal year.

➢ Scenario A: Block master data once End of Business is reached, without any application
specific residence rules (for example transactional data relating to ERP_FI, ERP_SD), in
case the master data can be in status blocked for all upcoming actions like year-end-
closing or IFRS. (This is usually not the case.)
- Note: once all applications confirm the status „business complete“ (EOB) for the master data in question,
the system evaluates the residence rule for the ILM object of the master data in question. This residence
time must be over too in order to block the master data (EOP) – which means you need a corresponding
policy in status live. As you have to cover Case 1 “Master data without transactional data”, you already
have such a rule.
- This means you do need ILM for the residence rules only for the application name that corresponds
with the master data in question (for example ERP_CUST
in case of a customer).

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Case 2: Master data with transactional data in one fiscal year only
How to block master data 2/3
Example: the customer has bought something only in one fiscal year.
➢ Scenario B: block master data once End of Business is reached and after the residence
time you have defined for the application names that correspond to the existing
transactional data are over (for example ERP_FI, ERP_SD), in case the master data can
not be in status blocked for all upcoming actions like year-end-closing or IFRS. (This is
usually the case.)
- This means you need ILM for the residence rules for the application names that
correspond to the master data (for example ERP_CUST in case of a customer) and the
corresponding transactional data (for example ERP_FI, ERP_SD).

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

Case 2: Master data with transactional data in
one fiscal year only
How to destroy master data
Case 2: Master data with transactional data in one fiscal year only
How to destroy master data
Example: the customer has bought something only in one fiscal year.

➢ You need ILM for the destruction of the master data.

- Note: Because there is business with the customer, retention periods of the corresponding
transactional data must be applied (inherited) to the master data. This inheritance does not
happen automatically. The so called double maintenance is needed.
- The retention period for the master data in Case 2 is not the same as the residence period
for the master. (This was truth only in Case 1.)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

Additional information:
Usage of the Application Rule Variants: double maintenance of retention periods

➢ This picture explains the so called double maintenance.

➢ With the help of the so called application rule variants (ARV) you can define the required rules faster as the
blue marked fields will be filled from the rule group which you have assigned to the application rule variant.
➢ This is the exact use case for which the application rule variants have been developed.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 17

Case 2: Master data with transactional data in
one fiscal year only
How to block transactional data
Case 2: Master data with transactional data in one fiscal year only
How to block transactional data 1/3
Example: the customer has bought something only in one fiscal year.

➢ Scenario A: Block transactional data through archiving this data in case the respective
display transactions would show transactional data associated to a blocked
master data.

- You need ILM for the archiving under the control of ILM.
- Additionally you need to fill the column Authorization Group in transaction IRMPOL for
the corresponding ILM objects.

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19

Fall 2: Master data with transactional data in one fiscal year only
How to block transactional data 2/3
Example: the customer has bought something only in one fiscal year.

➢ Scenario B: Block transactional data implicitly through blocking the master data and doing
nothing further for the transactional data (= you block transactional data without archiving
it).

- You do not need ILM for the archiving-based blocking (as explained on the previous
slide), in case the display-transactions of the respective applications do not show their
transactional data, if the corresponding master data has been blocked.
- Note: this is only the case, if the application uses the central read application interfaces
(provided by the master data). These application interfaces check if the user has the
authority group stated in the corresponding customizing activity (see next slide).
- Experience shows that some applications follow this approach, but others don´t.
Nevertheless it is important to understand this option too in order to have a full
understanding of possible scenarios and judge, when to use which one.
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20
Fall 2: Master data with transactional data in one fiscal year only
How to block transactional data 2/3

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

Case 2: Master data with transactional data in
one fiscal year only
How to destroy transactional data
Case 2: Master data with transactional data in one fiscal year only
How to destroy transactional data
Example: the customer has bought something only in one fiscal year. (Also for case 3, see below)

➢ You need ILM for the destruction of the transactional data.

- For this 3 different ILM features are possible. Each business object usually decides for
exactly one. You have to find out which if being offered for a particular business object.
- radio buttons Type of Data to Be Destroyed in the transaction ILM_DESTRUCTION, or
- the Data Destruction Object (transaction ILM_DESTRUCTION), or
- Die ILM Action Data Destruction of an archiving object‘s write phase (Transaction SARA)

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23

Case 3: Master data with transactional data in
several fiscal years
How to block and destroy transactional and master
data
Case 3: Master data with transactional data in many fiscal years

Example: Loyal Customers. Continues business with the customer over many years means: you
have transactional data for business in status “complete” as well as not.
➢ Master data can not be blocked, as there is some business with where End of Business (EOB)
or End of Purpose (EOP) is not yet reached. (Transaction CVP_PRE_EOP refuses blocking.)
- You do not (yet) need ILM for the blocking or destruction of the master data.

➢ You can block transactional data for which End of Purpose (EOP) has been reached
- You need ILM for the blocking of the transactional data through: archiving plus filling the
column Authorization Group in transaction IRMPOL for the corresponding ILM objects. This is
exactly what we have already described in case 2, scenario A “Block transactional data through
archiving” (slide 19).

➢ You can destroy transactional data when the retentions period are over.
- You need ILM for this destruction of transactional data.
- This corresponds to case 2 “Master data with transactional data in one fiscal year only -
How to destroy transactional data” (slide23).

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25

Further information

SAP Public Web

www.sap.com

SAP Education and Certification Opportunities

www.sap.com/education

BIT660 – Data Archiving

BIT665 – Information Lifecycle Management (ILM)
BIT670 – How to develop Data Archiving and ILM solutions for applications in customer name space

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

Further information
GDPR is coming – get compliant!

➢ Comply with the EU’s GDPR regulation and avoid costly

fines

➢ Design your IT environment to meet data privacy

requirements

➢ Explore the SAP software solutions that protect sensitive

personal data
Purchase the book and e-book at sap-press.com/4652

GDPR and SAP

Data Privacy with SAP Business Suite and SAP S/4HANA
Written by: Lehnert, Luther, Christoph, Pluder, Fernandes
435 pages | 07/2018 | E-book: $109.99 | Print: $119.95 | Bundle: $129.99
© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27
Thanks for attending this session.

Contact:

Iwona Luther
Product Standard
Owner of „Information
Lifecycle Management“

[email protected]

© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28