SAP Data Privacy: GDPR in SAP

Why GDPR matters to SAP

GDPR compliance has a direct operational impact on SAP because SAP stores employee personal data in HCM, customer personal data in CRM and S/4HANA sales master, and vendor personal data in supplier master and ariba. Each of those data stores is in scope of GDPR for European data subjects. The data controller must respond to data subject access requests within 30 days, must apply lawful basis to each processing activity, must retain personal data only for the documented retention period, and must support the right to be forgotten. The four obligations translate into specific SAP configuration and operating discipline.

This article documents the lawful basis model, the data subject rights operating procedure, the retention policy in ILM, and the audit defensible privacy posture. Reference the SAP security audit pillar, the compliance framework pillar, and the GRC and security expertise.

Lawful basis model

The lawful basis model documents the legal ground under which each processing activity operates. Employee data in HCM operates under the employment contract and statutory obligation grounds. Customer data in sales master operates under contract performance and legitimate interest. Vendor data in supplier master operates under contract performance and statutory obligation. The customer position is to maintain a processing activity register that maps every SAP module containing personal data to the lawful basis, the data controller, and the retention period. The register is the artifact that the data protection authority will request first in an investigation.

Reference the compliance framework pillar, the identity management analysis, and the table logging configuration.

Data subject rights operating procedure

The data subject rights operating procedure covers the request workflow for the access, rectification, erasure, restriction, and portability rights. The procedure has six steps. Intake through a documented channel. Identity verification of the requestor. Search across all SAP modules containing the data subject. Compilation of the response within the 30 day window. Delivery in the requested format. Closure with retention of the request record for accountability. The customer position is to maintain a dedicated SAP role in the access request handling team and to document every search step so that the response can be audited end to end.

Reference the user access review process, the privileged access analysis, and the GRC implementation analysis.

Mapping every SAP module containing personal data to a lawful basis in a processing activity register is the single most leveraged GDPR control. The register is the first artifact a data protection authority will request.

Retention policy in ILM

Retention is enforced through SAP Information Lifecycle Management (ILM). ILM holds the residence period (how long the data stays in the production system) and the retention period (how long the data is archived before destruction). The customer position is to map every personal data object to an ILM rule and to schedule the ILM execution as part of the regular operations calendar. The four most common rules cover terminated employee HCM data, inactive customer master data, inactive vendor master data, and legacy financial document data. Each rule references the lawful basis register to justify the retention period. Reference the license audit pillar (cross cluster reference for the named user implication of terminated employee retention), the compliance framework pillar, and the table logging configuration.

Audit defensible privacy posture

The audit defensible privacy posture has five components. First, the processing activity register that maps SAP modules to lawful basis. Second, the data subject rights operating procedure with the 30 day response discipline. Third, the ILM rules that enforce retention. Fourth, the table logging configuration that records who accessed personal data tables. Fifth, the annual review by the data protection officer that updates the register and the rules. The five components together survive data protection authority review and support the audit defensible privacy program.

The implementation detail is in our GRC implementation analysis, the table logging configuration, the SoX ITGC analysis, and the security audit pillar. The SoX compliance expertise documents the full senior advisor methodology for the overlapping controls.