Putting a Plan in Place

A data retention policy is the first step in protecting an organization’s data against financial, civil, and criminal penalties. But a policy is only effective when it is put into action. Many companies spend time developing and reviewing retention policies, but have little knowledge of how to apply those polices to the electronic data in their SAP systems or how to remain compliant as retention requirements change over time.

Departments such as legal, finance, and HR must have a strong understanding of how retention requirements apply to the business — but they are not alone. The IT department needs to know how and when to apply those retention rules to electronic data.

Best Practices for Electronic Data Retention

Retention policies must be mapped directly to SAP components, such as sales and distribution and materials management, as well as the tables and fields that are affected. More important, purge dates must be defined so that data is destroyed when it reaches its end of life. While the IT team is responsible for applying retention policies in the system, it is essential that the business stakeholders participate in the process and ensure the data retention policies are implemented correctly. In particular, they must pay special attention to any data that is subject to legal or audit holds. This data must be retained beyond its standard purge date, and the business must provide the IT team with the exact criteria necessary to determine what data must be retained, such as company codes, date ranges, personnel numbers, and document numbers.

The most important thing for both business stakeholders and the IT team to remember is that retention requirements are never static. Policies need to be updated as the business and technologies change to ensure that the organization stays in compliance with regulations. In addition to annual or periodic reviews, retention policies should be reviewed whenever one of the following events occurs:

• New systems, such as cloud applications, are added to the IT landscape
• The business goes through a transformation, such as a merger, acquisition, or divestiture
• New laws and regulations are put in place
• The business experiences heightened risk due to increased oversight or threats from hackers

Finally, it’s a good idea to conduct an independent internal review or have a third party validate that the policies are mapped and correctly correspond to your electronic data.

Benefits of a Centralized Retention Solution

To make the retention of electronic data easier, there are several solutions, such as Dolphin Retention Management, that can help the business and IT teams work together to ensure policies are applied consistently. These solutions enable organizations to centrally define, apply, and monitor data retention rules in SAP systems. They also enable teams to set purge dates — either manually or automatically based on the defined data retention criteria — that can trigger approval workflows to ensure data is reviewed by the business users before it is purged and destroyed. This is particularly useful in the case of legal or audit holds, where these solutions can automatically prevent protected data from being purged and ensure that the proper review process is in place.

When you have a retention action plan in place, you can be confident that retention rules are correctly applied to electronic data and that they are regularly reviewed and validated. Implementing a solution to automate data retention can provide greater consistency and visibility of this action plan across the organization. For more information on data retention in SAP systems and data retention solutions, visit www.dolphin-corp.com.