GDPR for SAP: What’s the impact two years on?

June 12, 2020
Written by Paul Hammersley

Paul has for many years been a remarkable technical force at EPI-USE Labs. As VP of the ALM Products, his portfolio includes System Landscape Optimization, and his hands-on experience of implementing Data Sync Manager and helping clients to manage data across the breadth of their SAP landscapes is unique. He has specialised knowledge about data security and how GDPR (the General Data Protection Regulation) impacts companies running SAP.


Early movers

It’s hard to believe it's only been two years since the General Data Protection Regulation (GDPR) came into force. This is partly because there was a long sunrise period during which we were extremely busy with clients who were being very proactive around their SAP compliance, in advance of the ‘deadline’.


We introduced some features in double-quick time to enable specific use cases that these clients needed, such as being able to exit the process of submitting someone for redaction, so that other processes could be embedded. We also enabled exits to adapt the output of data, and even provide charts of information as part of a Subject Access Request. For the most part, those early adopters implemented the scope agreed before GDPR came into force, and that’s how their solutions have remained.

More recent implementations

I was surprised at how we actually had so many more clients sign up for our solutions after May 2018. This included organisations who had identified processes they needed to support, and had been looking for vendors, or weighing up the level of effort to try to do something themselves. Many of those had more systems in scope, and complex relationships between groups of systems. This required more consideration around how we implement, rather than many new feature requests. The things we’d envisaged and discovered early on at clients seemed to cover most of what the later clients also wanted to do. We had some unexpected needs to support complex language characters in the PDF output, and some capability to allow multiple brands to be supported from one SAP system, which meant introducing a ‘company’ concept with Data Disclose™ to control the logo and free text for output. But apart from that, it was interesting new data types, but using the same extensible model.

Partial removal of data

One of the big benefits of Data Redact™ has proved to be the laser-like focus you can apply to defining what to redact or even remove. For example, keeping a record of employees who have left seems to be something many companies do for a long time, but removing their family members’ details needs to happen very soon after they have left.


Another good example is removing contact persons at a Customer or on a Sales Order, without the need to archive the entire customer master and its order history. This capability to redact or remove just parts of the data is much harder to achieve, or completely impossible in some cases, with standard SAP archiving and ILM.

New functionality

In the latest release (build 148) of Data Sync Manager 5, the base for our Data Privacy/GDPR Compliance suite, there are some nice new features:


  •  PII Type and LP Type editors, which make configuration of extensions much easier
  •  A dedicated launchpad within the SAP GUI version
  •  A Monitor Desk for Data Redact™ to allow more detailed visibility of run information

We do have a few more things currently in the pipeline too, so watch this space!



New call-to-action




Explore Popular Tags

GDPR Data Privacy data security data secure data scrambling GDPR compliance POPI Act POPIA Data Sync Manager Data Redaction Right to be forgotten GDPR readiness General Data Protection Regulation SAP GDPR Data Archiving Data Redact GDPR deadline sap personal data Data privacy compliance SAP data privacy and compliance SAP systems SAR Subject Access Request Access risk controls CCPA Data privacy regulations European operations Federal Law GRC for SAP May 2018 Right to Erasure Risk monitoring SAP Data Security SAP security anonymised data compliance test data management Australian Privacy Act 1988 Breach Notification Brexit Budget COVID-19 Canada data privacy legislation Client Sync Cloud migrations Consent DSM Data Portability Data privacy by design Documentation Europe Friday 25 May 2018 GDPR-type legislation Governance, Risk Management and Compliance (GRC) HCM HR ICO Information Commissioner’s Office Information transfer Infotype 41 Object Sync Penalties Privacy by Design Proportional Data Right to Access Risk management S/4HANA Migrations SAP S/4HANA SAP data Secure scrambled production data for testing Security Security for SAP. Live South African data privacy legislation Success Factors Territorial Scope UK Government Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy
+ See More

Get Instant Updates

Leave a Comment: