European Data Protection Requirements reach the SAP Banking Community

08/02/2017 | News & Press

The comprehensive compliance requirements for data protection from the European General Data Protection Regulation (EU-GDPRDSGVO) were one of the main topics at this year’s DSAG conference of the SAP Banking working groups. Some SAP Banking users have analyzed the requirements, and have started – or are preparing – implementation projects. It is just starting to dawn on some others that it is an item on the agenda. “The requirements from the EU-GDPR are not trivial, and the timeframe for implementing them is limited,” commented Konrad Wehner, speaker at the DSAG conference, from the SAP Banking consulting specialists b²tec Software GmbH.

Apart from more operationally-oriented topics – like expanded verification and documentation obligations for processes and systems, as well as for contracts with customers, employees, and service providers – there were topics with a high relevance for IT.  For instance, customers have the right to the portability of their personal data in electronic form, as well as access to all data that has been saved about them, including archived data.

The largest task will probably be deleting personal data or limiting access to use of that data. Like many of the points mentioned above, this requirement is not really new, since it was already found in the Federal Data Protection Act (BDSG). However, the EU-GDPR brings with it a drastic change in the possible penalties – instead a maximum of 300,000 euros, fines can now make up to four percent of annual global revenue. Hence, in addition to risks to corporate reputation, there is now a substantial financial risk.

The deletion or limitation of data use will potentially make up the lion’s share of project budget estimates, because of course the myriad retention periods, resulting from numerous legal regulations, still must be followed. The principle “retain before delete” applies here; naturally only until the exact expiration date of the retention period. An additional complication results from the non-deletion of personal data that might prove relevant for the prosecution of legal cases – referred to as a “legal hold” in Anglo-American parlance.


SAP recommends using SAP Information Lifecycle Management (SAP ILM) for complying with the European General Data Protection Regulation. Information Lifecycle Management facilitates the management of the lifecycle of both productive and archived (personal) data. The rules for mapping legal or regulatory retention specifications can be defined as follows; data that is relevant for legal cases can be saved from deletion; ultimately, the deletion of data takes place exactly at the defined timepoint. Of course, SAP ILM only works on data sets that are administered using SAP.

b²tec supports several well-known German banks in the conceptual preparation and operational/technical implementation of the EU-GDPR. In this context, b²tec employees have accompanied comprehensive preliminary studies of the EU-GDPR at home and abroad in Europe. They are currently engaged in implementation projects at two large banking institutions.