The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-06

Deleting and locking personal data in SAP HCM

Anyone following the flow of information on the current legal situation regarding the deletion and blocking of personal data will inevitably be led to the SAP ILM business function and the question of the feasibility of data protection aspects in SAP systems.
Björn Meeder, IBS Schreiber
June 1, 2017
Content:
It Security
avatar
This text has been automatically translated from German to English.

If we take a closer look at the current developments on the subject, we come face to face with the EU General Data Protection Regulation (GDPR), which is to be applied on May 25, 2018, and its severe sanctions for data protection violations.

In principle, the GDPR, like the Federal Data Protection Act (BDSG), also provides for the correction and deletion of personal data. It is not permissible to retain such data indefinitely.

However, as long as there are further legal, collective bargaining or internal requirements for the retention of personal data and documents, the data must not yet be deleted but merely blocked.

With the proven options of Retention Management, HR issues can be mapped via SAP ILM and implemented in practice in compliance with legal requirements.

Procure overview

First, however, it is necessary to obtain a structured overview of all personal data processed in SAP HCM. For this purpose, a deletion concept should be developed that takes into account the legal requirements of data protection and other legal requirements and transparently regulates the handling of such sensitive data in terms of type and scope.

The deletion concept is the ideal starting point for identifying data to be blocked as defined in Section 35 of the German Federal Data Protection Act (BDSG), as well as for implementing customizing in SAP ILM.

The ILM is technically based on a set of rules. Here, the defined retention periods per infotype are transferred to the SAP system and mapped analogously to the deletion concept.

In simple terms, the minimum and maximum retention periods must be stored per infotype, i.e. per archiving object. In practice, this quickly takes on complex forms.

Whenever the retention rule must be linked to further conditions, these criteria must be implemented in the rule set. After the implementation of the SAP HCM-specific customizing, a decision path can be run through per archiving object along these criteria to determine the correct retention period of a record.

The ILM set of rules can be called via transaction IRM_CUST. Information on the delivery of the ILM business function and the required system status can be found in SAP Note 1600991. Here you can also find information about license costs when using the ILM for HCM archiving objects and its possible coverage via already existing ERP licenses.

The actual destruction of data is realized with classic SAP Basis functionalities. Corresponding programs exist in the SAP system for this purpose. Via the transaction SARA, the archiving administration, the corresponding programs are run one after the other for each archiving object.

The P_DURATION authorization object can be used to adaptively implement the blocking of personal data at the granular level of individual infotypes. By defining authorization periods, access to HR master data can be restricted in the past.

Information on the P_DURATION authorization object can be found in SAP Note 2123631. A data protection-compliant deletion concept can be implemented in an SAP system as a hybrid solution comprising both functionalities.

In contrast to the creation of the deletion concept, the successive implementation of deletion processes of the 100% solution should be preferred for the subsequent technical implementation project.

On the one hand, there is no final archiving object for a few standard infotypes, and on the other hand, the technical focus should be on the individual infotypes and their associated archiving object in order to incorporate useful findings into the creation of simplified deletion rules.

 

avatar
Björn Meeder, IBS Schreiber

Björn Meeder is Auditor & Consultant SAP Security, SAP Certified Consultant HCM at IBS Schreiber.


All articles of the author

Write a comment

Purchase requisition: SAP Ariba Guided Buying

All for One announces Rise One

Swiss technology company SFS Group implements digital future platform for 2025 and beyond

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.