GDPR & SAP: Implementing Data Protection in SAP Systems

The General Data Protection Regulation (GDPR) presents particular challenges for organisations with SAP systems: personal data is distributed across numerous modules, tables and customising settings. A systematic approach is required to meet legal requirements without endangering operations.

Identifying Personal Data in SAP

The first step is stocktaking: where is personal data located in the SAP system? The key areas: HR master data (infotypes 0001–0999 and custom infotypes), vendor and customer master data (LFA1, KNA1), user master data (USR02, USR21), business partners (BUT000), applicant data and custom tables with personal references. Create a record of processing activities (Art. 30 GDPR) with all tables and fields containing personal data.

Deletion Concept with SAP ILM

GDPR requires deletion of personal data when the processing purpose no longer applies and no retention obligations exist. SAP Information Lifecycle Management (ILM) supports this process: define retention rules per data object, consider legal retention periods, use ILM retention management functions for automated review and deletion and document the deletion process for accountability. Important: technical deletion vs. blocking. When immediate deletion is not possible (e.g. due to ongoing retention periods), the record must be blocked so that only authorised access is possible.

Implementing Data Subject Rights

GDPR grants data subjects extensive rights: right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18) and right to data portability (Art. 20). In SAP, this means you must be able to identify and output all data stored about a person. SAP provides the Data Privacy Integration (DPI) framework as a technical foundation for implementing these rights.

Logging and Traceability

GDPR requires traceability of data access. Configure the Security Audit Log for access to tables containing personal data. Use Read Access Logging (RAL) for logging read access to sensitive data – a feature SAP developed specifically for GDPR requirements. RAL records who accessed which personal data and when.

Data Protection in System Copies and Tests

An often overlooked aspect: during system copies, production data is transferred to non-production systems. GDPR applies here too. Measures: perform data masking after every system copy, restrict and document access to non-production systems and use synthetic test data instead of production data where possible. Document your process – auditors and data protection officers ask specifically about this.

Cross-Border Data Transfers

If your SAP landscape includes systems in different countries or uses cloud services outside the EU, you must secure cross-border data transfers. Execute Standard Contractual Clauses (SCC) with SAP and sub-processors, perform Transfer Impact Assessments and implement technical measures such as encryption and pseudonymisation.

Conclusion

GDPR compliance in SAP is a cross-cutting topic that equally affects Basis, authorisations, development and business departments. Start with data inventory and the deletion concept – these are the fundamentals. Tools such as SAP ILM and DPI facilitate implementation but do not replace substantive engagement with the requirements.

Get in touch →

Related Articles

Need support with this topic?

We help you with implementation – from analysis to go-live.

Get in touch

← All articles