SAP Information Lifecycle Management (SAP ILM) is a data lifecycle management tool. By using SAP ILM correctly, it is possible to make your company GDPR Compliant.

GDPR covers your customers, your suppliers, clients, vendors, members, guests, employees and other relations connected to your business.

According to GDPR, we need to have control over our data. You need to consider for HOW long you need data, WHY, and WHO to decide when to DELETE and how much within a certain period.

Atronas consultants are certified in ILM.

We will gladly help you with SAP ILM or SAP GDPR or both to optimize the process to optimally take care of archiving your SAP Landscape and at the same time get your Landscape GDPR compliant according to your company’s GDPR responsibilities.

To provide ILM/GDPR rules you must consider which data you want to keep in your system and how much within a certain period..

SAP Information Lifecycle Management (SAP ILM) & General Data Protection Regulation* (GDPR) enhances SAP standard delivery with the ability to manage the lifecycle of live and archived data based on rules.

The main purpose is to enhance individuals’ control and rights over their personal data. National laws often have an influence on which data are considered as personal data. E.g. in Denmark religion is considered as personel data. In Germany it’s not!

With SAP ILM / GDPR we can do that and apply some ILM policies at the same time.

save your resources. Do both..

7 Key Principles

We need to use ILM-specific data archiving functions. The Information Lifecycle Management force us to consider schedule archiving and destruction runs using archiving objects and data destruction objects according to your ILM policies:

  • Retention / Residence period
  • Period
  • Time reference for the data object
  • Time off


  • Authorization groups (SAP)

SAP has included their SAP Netweaver Runtime license with retention management functions from ILM, making ILM/GDPR function license-free.

What is data retention

Data retention refers to the length of time that data is kept by the organization that gathered it. Data archiving describes the intentional preservation of data in a format that makes it easy for collaborators to refer back to. And data disposal is the process of deleting data in a safe and responsible manner.

SAP Data Retention Manager povides the ability for the Data Protection Officer to create residence and retention rules that can help orchestrate the process of blocking and deletion of personal data of the data subjects.

An organization’s data retention policy controls how it saves data for compliance or regulatory reasons, as well as how it disposes of data once it is no longer required.
The default length of the retention period is 365 days. The administrator can set a retention period in number of days. You set the retention period in the Audit Log settings in the Admin Console.

What is the maximum data retention period?

The answer is that there are no definitive GDPR statutory retention periods, per se. The legislation states that a business should keep information for “no longer than is necessary”. If you need the data only for the period of the individual’s employment, you should destroy it after they leave.

Retention versus Residence

What is data residence

The term residence time is used to refer to the period of time set in Customizing that must elapse before the system can archive the application data of an archiving object. When this time elapses, the application data is selected by an analysis process and checked to see whether it can be archived from a business point of view.


The term retention period is used to refer to the complete period of time for which the data actually remains in the database, from the time it is entered to the time it is archived. The retention period can be longer than the residence time and cannot be set in Customizing. It may be longer than the residence time if, for example, the data that the system would be able to archive on the basis of the residence time criterion does not meet other application object-specific archiving prerequisites. The system would therefore exclude this data from the archiving process.

For any problem you struggle with. We have the team that can help you

Look at our insights Information Lifecycle Management – Atronas ApS, our Consultancy Servies or Contact Us here.

*The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.