Guide for Blocking and Deletion – Data

Controller Rule Framework

SAP S/4HANA Cloud

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see for additional
trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with
respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.

SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related
presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies
at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and
uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied
upon in making purchasing decisions.

Guide for Blocking and Deletion - Data Controller Rule Framework 1

SAP Services

Published Date 7th May 2018

Version History

Revision Change Date Description

1 May 04th, 2018 Guide for Blocking and Deletion – Data Controller Rule Framework
SAP S/4HANA Cloud - Draft Version

2 May 07th, 2018 Guide for Blocking and Deletion – Data Controller Rule Framework
SAP S/4HANA Cloud - Final Draft Version

Guide for Blocking and Deletion – Data Controller Rule Framework 2

Contents
1 Introduction ...................................................................................................................................................................... 4
Preparation .............................................................................................................................................................. 4
Tools ........................................................................................................................................................................ 6
1.2.1 Create and maintain default audit area for retention rule generation ................................................................. 6
1.2.2 Define time references ........................................................................................................................................ 7
1.2.3 Define purposes ................................................................................................................................................ 11
1.2.4 Maintain data controllers ................................................................................................................................... 13
1.2.5 Create and simulate ILM rules .......................................................................................................................... 15
1.2.6 Activate ILM rules .............................................................................................................................................. 17

Guide for Blocking and Deletion – Data Controller Rule Framework 3

1 Introduction

You use the Data Controller Rule Framework to ensure that personal data can be stored according to applicable legal
requirements and in compliance with general data privacy acts. Any personal data collected or processed is linked to a
predefined purpose. The data controller determines the purposes for which and the manner in which any personal data is
to be processed. Even after the residence periods (which represent the primary purpose for which the personal data was
initially stored) ends, personal data can still be retained for other explicit legal reasons. The reasons include retention
periods prescribed by law, statutes, or contracts. After the end of all retention periods, personal data shall be destroyed.
The Data Controller Rule Framework simplifies the maintenance of these residence periods and retention periods. It
provides the definition of purposes as reasons for storing personal data representing the used business processes and
the involved business objects. The definition of the data controller assigns the line organization attributes, which represent
the data controller in the system. The rule maintenance is based on the data controller and the purposes defined for a
data controller. The data controller and purposes are related to the data in the system as well as to the Information
Lifecycle Management (ILM) objects. The activation of maintained rules creates all the required ILM configuration and
policies for each assigned ILM object according to its individual settings.
A customer key user who is responsible for maintaining retention and residence rules will define these rules during the
initial preparation of the system and also later as and when any adjustment is needed.

Preparation

Data Controller Rule Framework requires following application and roles:

Fiori Application name Business Role required Use

ILM Audit Area SAP_BR_DATA_PRIVACY_SPECIALIST Using this app, you can create new audit areas
and edit existing audit areas.
Data Controller Rule SAP_BR_BPC_EXPERT With this app, you can define the data controller,
Framework assign organization entities and set conditions for
the organization entities
SSCUI - Define data
controller
Data Controller Rule SAP_BR_BPC_EXPERT With this app, you can define a purpose, assign
Framework ILM objects to purpose, and maintain condition
fields. The purpose can be used when defining
SSCUI - Define purpose of
retention rules in SAP ILM or when providing
retention rules
information on personal data.
Data Controller Rule SAP_BR_BPC_EXPERT With this app, you can set the default time
Framework reference and time offset for an ILM object. This
would be used in the rule generation for all ILM
SSCUI - Set time reference
policies.
and time offset
Data Controller Rule SAP_BR_BPC_EXPERT With this app, you can set the default audit area for
Framework the rule generator
SSCUI - Set default audit
area
Manage ILM Business SAP_BR_DATA_PRIVACY_SPECIALIST Using this app, you can create and edit ILM
Rules business rules.

Guide for Blocking and Deletion – Data Controller Rule Framework 4

For the purpose of this guide, it is assumed you will use two organizational entities: Germany (company code 1010) and
US (company code 1710) and two purposes as reasons to store personal data. Both entities process personal data due to
sales of books and sales of tax advisory services. Each purpose requires different retention and residence periods for
these entities. Different sales order types are used to process sales of books (OR) and tax advisory services (L2). Next
you create and activate ILM rules for. The table below summarizes combinations of data controllers and purposes:

Org.entity - Data Purpose Order type Residence Retention

Company Code controller
Books OR 1 day 1 day
Germany [1010] DE_DC
Tax services L2 1 day 2 days
Books OR 1 day 1 days
US [1710] US_DC
Tax services L2 1 day 3 days

Guide for Blocking and Deletion – Data Controller Rule Framework 5

 Tools

1.2.1 Create and maintain default audit area for retention rule generation

Logon with the Business Role SAP_BR_DATA_PRIVACY_SPECIALIST.

You will create a new Audit Area which will be used by Business Rule Generator to create retention rules.
If you already have such audit area, you can skip this step.

Open the ILM Audit Area app.

Choose New. On the Audit Area: NEW screen, enter a name for the audit area which starts with Y
or Z, a description, and select the policy category Retention Rules.

Scroll down the list of ILM Objects until you see desired object. Include the object in this Audit
Area by selecting checkbox Object Assignment.
Choose Save.

Guide for Blocking and Deletion – Data Controller Rule Framework 6

1.2.2 Define time references

Logon with the Business Role SAP_BR_BPC_EXPERT.

Open the Manage Your Solution app.

Choose Configure Your Solution.

On the next screen, select:

Application Area: Enterprise Technology
Sub Application Area: Retention Management
Choose Go.

Guide for Blocking and Deletion – Data Controller Rule Framework 7

You will be presented with one configuration option Rule Generator. Choose this line.

To select Set Default Audit Area, choose Configure.

Using search function, choose the default Audit Area for rule generation and save your changes.

Guide for Blocking and Deletion – Data Controller Rule Framework 8

Go back to Configuration Your Solution – Rule Generator screen and choose Configure for Set Time Reference and
Time Offset.

To view the objects that are already available, choose Go. If the object for which you want to set up time reference is
already on the list, select the line and skip next step.
If the object you need is not yet available, choose the + icon on the Define Time Reference screen.

Guide for Blocking and Deletion – Data Controller Rule Framework 9

On the next screen, enter the required information in the fields, for example:
ILM Object: SD_VBAK
Time Reference: LAST_CHANGE_DATE
Time Offset:
Choose Save.
Go back to the Configuration Your Solution – Rule Generator list.

Guide for Blocking and Deletion – Data Controller Rule Framework 10

1.2.3 Define purposes

You will create two new purposes for data processing: sales of books and sales of tax advisory services.
The purpose represents a business process that groups ILM objects that relevant for the process. These ILM objects have
the same residence rules and retention rules. In our guide we will use object SD_VBAK (sales order).

Logon with the Business Role SAP_BR_BPC_EXPERT, choose Configure Your Solution app and
access configuration option Rule Generator. Choose Configure in line Define Purpose of
Retention Rules.

To view the purposes that are already available, choose Go. If the purpose for which you want to set up time reference is
already on the list, select the line instead of creating new purpose.
On the Define Purpose screen, choose the + icon to create the purpose.

Guide for Blocking and Deletion – Data Controller Rule Framework 11

On the next screen, enter the required values in the following fields, for example:
Purpose ID: BOOKS
Purpose Description: Books sales
Choose Save.
Select the newly created purpose from the list. You might need to choose Go to view it.
On the ILM Object Assignment tab, choose Add.
In the Assign ILM Object dialog box, add an ILM object that you want to assign, for example, SD_VBAK.
Choose Save.
Select the newly created object from the ILM Object list.

Choose Add. On the ILM Object Condition Assignment tab, choose the field for Condition, and enter condition values in
the From and To fields. Choose Save and go back to the Configuration User Interfaces list.

You can repeat the steps and create another purpose, e.g. sales of tax advisory services, with the
same condition field (sals order type) but different condition value (order type L2).

Guide for Blocking and Deletion – Data Controller Rule Framework 12

1.2.4 Maintain data controllers

Logon with the Business Role SAP_BR_BPC_EXPERT, choose Configure Your Solution app and
access configuration option Rule Generator. Choose Configure in line Define Data Controller.
You will create two new data controllers for two new entities: DE and US

To view the objects that are already available, choose Go.

On the Define Data Controller screen, choose the + icon to create the object.
On the next screen, enter the required information in the fields, for example:
Data Controller: DATACONTROLLER
Description: Data Controller
Choose Save.

Guide for Blocking and Deletion – Data Controller Rule Framework 13

Go back to the previous screen and select the newly created object from the list. To view the objects that are already
available, choose Go.
On the Organizational Entity Details tab, choose Add.
From the Select: Organizational Entity dialog box, select an organizational entity, for example, company code (BUKRS).
Choose Save.
To assign the entity to a data controller, choose Save.

Guide for Blocking and Deletion – Data Controller Rule Framework 14

1.2.5 Create and simulate ILM rules

Logon with the Business Role SAP_BR_DATA_PRIVACY_SPECIALIST.

With the Manage ILM Business Rules app, you can create, delete, edit, and display business rules. In this step, you create
new ILM business rules and simulate the results.
From the Information Lifecycle Management group, choose the Manage ILM Business Rules app.

To view the purposes that are already available, choose Go.

In the Manage ILM Business Rules app, choose the + icon to create a new rule.
In the General Information section, make entries as required, for example:
Business Rule ID: DE_BOOKS
Rule Description: Rule DE Books
Data Controller Name: DE_DC
Rule Start Date: <choose for example, the current day – you can’t enter past date>
Residence Period: 1
Time unit: Day
Retention Period: 1
Time unit: Day
Purpose: BOOKS
Choose Save.

Guide for Blocking and Deletion – Data Controller Rule Framework 15

ILM Business rules are created in Draft Status. If you want to simulate newly created draft rules,
first choose Refresh, then choose the line you want to simulate.

On the next screen, choose Simulate.

Check simulated rules and choose Close.

You can repeat the steps and create another rule for sales of tax services, then create the rules
for data controller for another entity (US_DC).

Guide for Blocking and Deletion – Data Controller Rule Framework 16

1.2.6 Activate ILM rules

Logon with the Business Role SAP_BR_EXTERNAL_AUDITOR.

From the Information Lifecycle Management group, choose the Manage ILM Business Rules app.

Select the business rule and choose Activate.

To see the status change from Draft to Active, choose Refresh after activation.
Choose the line of the DE_BOOKS rule.

On the next screen, go to the Generated Rules tab and to the rules that are automatically created.

Guide for Blocking and Deletion – Data Controller Rule Framework 17