In part 1 of this blog, we discussed what the General Data Protection Regulation (GDPR) means for enterprises and how data and content, which is generated and stored in the course of day-to-day business processes in SAP is subject to this regulation. Our example was the incoming vendor invoice on paper, which is scanned, attached to the SAP transaction via ArchiveLink and then securely stored on the OpenText™ Archive Center. This paper invoice may contain a contact name of the supplier, a phone number, an email address, all data that when combined together could identify an individual, such as an employee of the supplier. This personal data is protected by GDPR.
Let’s recap: Collecting and processing data is legitimate as long as it serves a justified purpose, as defined by GDPR, “if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …”
Justfied purposes for storing and retaining personal data include laws that govern retention of content, such as tax relevant data and documents, where retaining the scanned vendor invoice or a customer bill is not only justified but an obligation.
BUT: When the legitimate reason for the procession has expired, the transactional data and the attached ArchiveLink document need to be deleted. In our example above, the scanned vendor invoice needs to be retained as long as taxation laws require, but be deleted just after this retention period, which is 10 years in Germany for example.
This means that enterprises are advised to set up retention rules to govern the necessary retention AND put processes in place that will delete data and attached content in a timely fashion, when it is no longer needed, or when the justified purpose for retention has expired.
Retention Management for SAP® Data and Related Content
Neither OpenText nor SAP can provide legal advice or guidance in this matter, but they do offer software capabilities that help customers set up policies and procedures for retention and deletion of transactional data and attached content.
The products that play together here are SAP® Information Lifecycle Management (SAP ILM) and OpenText™ Enterprise Content Management solutions for SAP: OpenText™ Archiving, Document Access and Extended ECM for SAP Solutions (see OpenText Suite for SAP).
SAP ILM provides records management for SAP data and can also be configured to apply the same retention schedule to the attached SAP ArchiveLink documents. However SAP ILM itself does not provide the storage for data and documents but relies on ILM aware platforms for this purpose. OpenText Archiving, Document Access and Extended ECM provide the compliant ILM aware platform for ILM data files and ArchiveLink documents. These solutions store the content, enforce the retention and holds from ILM and pass it up to the hardware level, and, at the end of the lifecycle, execute the deletion request coming from SAP ILM. SAP ILM acts here as leading application for the retention management of SAP data and attached ArchiveLink documents.
So far so good, if you only look at SAP data and attached ArchiveLink documents.
Enterprise Wide Records Management
However, personal information in business documents does not stop at the boundaries of the SAP applications. You will also have content outside SAP, which you want to retain and manage, put under records management and execute timely deletion when the reason for retention has expired. This is where Extended ECM for SAP Solutions comes into play.
Extended ECM provides DoD certified records management for SAP ArchiveLink documents as well as NON-SAP content, which can be related to SAP business objects via the ECMLink module. A customer that wants to benefit from the DoD certified records management for documents can use Extended ECM for all unstructured content inside and outside SAP, whereas SAP ILM provides the records management for SAP data.
If SAP ILM is to delete data which relates to Extended ECM content that has not yet expired, both solutions can synchronize, so that business documents in Extended ECM will not be orphaned by SAP ILM. At the same time, Extended ECM represents the ILM aware storage platform for SAP data and documents. So SAP ILM together with Extended ECM for SAP Solutions can manage the retention of data and unstructured content inside and outside SAP.
Where to Find More Information
Learn more about OpenText’s capabilities to support GDPR requirement by reading our other blogs here and here. You can also visit our main web site and learn how OpenText EIM offers capabilities that support customers to prepare for GDPR.