-
SOFTWARE
SOFTWARESAP HCM & PayrollQuery Manager Query Manager Add-ons Document Builder Variance Monitor DSM for HCM HCM Productivity Suite FLOW GeoClockSAP Landscape & Test Data ManagementData Sync Manager (DSM) suite - System Builder/Shell Sync - Object Sync - Client Sync - Data Secure Archive CentralSupport & TrainingClient Central E-learning & trainingSAP Data Privacy & SecurityData Privacy suite - Data Secure - Data Disclose - Data Redact - Data Retain Soterion (GRC)
-
SERVICES
SERVICESSAP HCM & PayrollPRISM for HR & Payroll SAP SuccessFactors Integration monitoring Payroll reporting Report writingClient-specific DevelopmentCustom development SAP BTPSAP Landscape & Test Data ManagementPRISM Migrations to S/4HANA System Landscape Optimization (SLO) Managed data refresh servicesSAP Data Privacy & SecuritySAP data privacy assessment serviceMass data removal services Data privacy consultingCloud and Application Managed ServicesFunctional AMS Cloud management services Cloud migrations Basis managed services Private cloud hosting SAP on AWS SAP on Azure Premium Support Services RISE BRIDGE Managed Services
- All Solutions
- Request Estimate
-
Resources
Resources Blogs Read the latest updates on SAP SLO, SAP HCM, Data & Privacy, and Cloud Webinars Access expert insights in live and recorded webinars Video library Watch videos and improve your SAP knowledge
- About
Retention period: A minimum or a maximum?
As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.
GDPR: are retention periods being considered a minimum or a maximum?
I’ve recently been in several meetings where a Data Protection Officer (DPO) or internal legal advisor has been discussing GDPR with IT team members. Interesting to see people with very different backgrounds and responsibilities discussing the various challenges of GDPR they are facing jointly. Several of the DPOs were keen to stress that a lot of the elements affected by GDPR are already in force as a result of existing country legislation created to comply with the 1995 Data Protection Directive. For them, GDPR was in many ways welcome, because it’s ensuring that organisations take their obligations very seriously - even if those obligations are already there now, but have perhaps been overlooked.
There were many interesting discussions and viewpoints, but I also noticed in many cases a disconnect in the how the two different worlds communicate on the same topic.
Let me give you one example that I think explains this. If an organisation has a detailed ‘Data Retention policy’ which states that data type x is kept for five years, does that just mean that the data is kept for at least five years, or also that the data is actively destroyed when it is five years old? Several DPOs/Auditors spoke of an existing retention policy with the clear assumption that the latter is the case. No-one from the IT teams wanted to challenge that, and explain that although the retention policy was there, it wasn’t driving any active removal of older data. The IT teams' understanding was that data had to be retained for at least this time period, but not that it had to be destroyed when it passed that age.
With GDPR, these conflicting views on what a retention policy means will be exposed, and will need to be resolved - the sooner the better. While document management systems normally have a built-in retention period that focuses on removing old data, the majority of IT systems do not, and so organisations will be looking for technology solutions that they’ve never previously thought they needed.
Posts by Topic
- GDPR (41)
- Data Privacy (32)
- Data Security (31)
- Data Secure (21)
- GDPR compliance (19)
- Data Redaction (13)
- data scrambling (13)
- Data Redact (12)
- General Data Protection Regulation (12)
- POPI Act (11)
- POPIA (10)
- SAP Data Security (10)
- SAP GDPR (10)
- SAP data privacy and compliance (10)
- Data Archiving (9)
- Data Sync Manager (9)
- Data privacy regulations (8)
- Right to be forgotten (8)
- Data privacy compliance (7)
- GDPR readiness (7)
- GDPR deadline (6)
- Personal data (6)
- SAP (6)
- SAP security (6)
- SAP systems (6)
- GRC for SAP (5)
- SAP data privacy and security (5)
- Access Risk management (4)
- Access risk controls (4)
- Data Privacy suite (4)
- Data minimisation (4)
- Data security breaches (4)
- Governance, Risk Management and Compliance (GRC) (4)
- compliance (4)
- COVID-19 (3)
- Data privacy by design (3)
- Risk monitoring (3)
- SAP data copying and masking (3)
- SAR (3)
- Soterion (3)
- Subject Access Request (3)
- anonymised data (3)
- Australian Privacy Act 1988 (2)
- CCPA (2)
- Client Sync (2)
- Data Protection Day (2)
- Data masking (2)
- EPI-USE Labs’ solutions (2)
- European operations (2)
- Federal Law (2)
- GDPR fine (2)
- Guest order (2)
- ICO (2)
- May 2018 (2)
- Object Sync (2)
- One-time customer (2)
- Privacy by Design (2)
- Reducing risk (2)
- Right to Erasure (2)
- Risk minimisation (2)
- S/4HANA Migrations (2)
- SAP S/4HANA (2)
- SAP data privacy & security (2)
- Secure scrambled production data for testing (2)
- Test Data Management (2)
- security breach (2)
- Backlog privacy debt (1)
- Black Friday (1)
- Black Friday hangover (1)
- Black Friday sales (1)
- Breach Notification (1)
- Brexit (1)
- Budget (1)
- Canada data privacy legislation (1)
- Cenoti (1)
- Cloud migrations (1)
- Confidentiality (1)
- Consent (1)
- DSM (1)
- DSM Readiness Assessment (1)
- Data Diclose (1)
- Data Portability (1)
- Data Removal (1)
- Data Replication (1)
- Data Sync Manager (DSM) (1)
- Data integrity (1)
- Data privacy assessment (1)
- Data processor versus controller (1)
- Data retention rules (1)
- Documentation (1)
- Employee data (1)
- Europe (1)
- Friday 25 May 2018 (1)
- GDPR-type legislation (1)
- GRC (1)
- GRC for SAP tools (1)
- General Data Protection (1)
- HCM (1)
- HR (1)
- ILM (1)
- Information Commissioner’s Office (1)
- Information transfer (1)
- Infotype 41 (1)
- JSOX (1)
- New Zealand Privacy Act (1)
- News (1)
- Online shopping (1)
- Penalties (1)
- Personal Data Protection Law (PDPL) (1)
- Proportional Data (1)
- Protect personal employee data (1)
- Removing data in SAP (1)
- Right to Access (1)
- Rise with SAP (1)
- Risk management (1)
- S4HANA (1)
- SAP Cloud (1)
- SAP Data Privacy Suite (1)
- SAP RISE (1)
- SAP SuccessFactors (1)
- SAP access risk simulations (1)
- SAP data (1)
- SAP data encryption (1)
- SOX (1)
- Sarbanes-Oxley (SOX) legislation (1)
- Saudi Arabia (1)
- Security (1)
- Security for SAP. Live (1)
- Sensitive HCM data (1)
- South African data privacy legislation (1)
- Success Factors (1)
- Territorial Scope (1)
- UK Government (1)
- User Access Review (1)
- Virtual conference (1)
- What does the European GDPR mean for Australia? (1)
- ebook (1)
- masking rules (1)
- quality of test data (1)
- system copy (1)
- uk sox (1)
Blog Archive
- July 2024 (1)
- November 2023 (1)
- October 2023 (1)
- March 2023 (1)
- October 2021 (1)
- July 2021 (2)
- June 2021 (1)
- May 2021 (1)
- February 2021 (1)
- January 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (2)
- August 2020 (1)
- June 2020 (2)
- January 2020 (1)
- November 2019 (1)
- October 2019 (1)
- September 2019 (2)
- August 2019 (1)
- July 2019 (2)
- January 2019 (2)
- November 2018 (3)
- October 2018 (6)
- September 2018 (2)
- July 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- January 2018 (1)
- December 2017 (1)
- November 2017 (2)
- August 2017 (1)
- July 2017 (2)
- June 2017 (1)
- May 2017 (3)
- February 2017 (1)
- January 2017 (1)
- October 2016 (1)
- June 2016 (1)
Leave a Comment: