Organizations have been facing data related challenges for many years, and for most the biggest challenge has simply been the exponentially increasing volume of data that they are creating. But with changing governmental regulations organizations must not only ensure that the data in their systems is secure, but that they are conforming to appropriate data privacy, data residency, and data sovereignty requirements. This can become even more complex when new technologies and systems are deployed which result in the decommissioning of older systems. The data in systems being retired often needs to be archived and maintained both for audit and compliance reasons and as a way of reducing the amount of data moved into new solutions, such as SAP S/4HANA.

Today’s Data Challenge

To better understand these challenges SAPinsider sat down with Thierry Julien of TJC Group. Julien is the CEO and founder of TJC Group and has had over 20 years’ experience with data management and the SAP ecosystem. One of the biggest challenges Julien sees for SAP customers is just how to achieve peace of mind when it comes to data management. “There was a time when ensuring that shipments went out at the right time with the right product and the right quantity was the primary target for organizations,” states Julien. “Now they might be selling individual items to customers with supply chain traceability while managing social network discussions. That’s a huge difference in managed data. 25 years ago, a worldwide corporation might be running on a server with less than a terabyte of storage. Today organizations generate that much data in less than a day.” Julien sees four main areas in which organizations need peace of mind. The first is in using automation around data archiving. The second is to generate standard output for audit and tax purposes. The third is to ensure that they are complying with data privacy requirements. And the fourth is to manage the data from decommissioning legacy systems. Addressing these data challenges is incredibly important for organizations because it’s impossible to solve business challenges when hampered by slow systems, tax and data privacy issues, and technical debt. While organizations have addressed some of these challenges with individual services, Julien has not typically seen this happen at a strategic level. But that is something that he says needs to change because of data privacy requirements and the way that those requirements impact system decommissioning. Julien believes that it is important that there is a top-down approach to the data strategies employed by an organization.

Data Residency, Sovereignty, and Privacy

Data residency, sovereignty, and privacy are the three significant data questions that organizations running enterprise systems, and particularly SAP systems, must answer both in their core systems and in any plans for data decommissioning. Julien provided an overview of each in our conversation. Organizations running a global SAP system with a centralized database may be in a somewhat difficult position when it comes to data residency which relates to physical and geographical access. Julien says that with data residency it may be a requirement to only store information in a specific country, but sometimes it is the requirement to also store data in another country. This can often be resolved by carving out some data and related documents and storing them in another workspace in another cloud data center. Data sovereignty takes that further as it includes applicable laws and regulations beyond what data residency requires. This can be much more complex for organizations to deal with as the timeframe for how long information needs to be retained can vary depending on industry or situation. For example, a standard audit may require three years plus the current year. But if a building is purchased, then additional codes may apply which may require data retention for 25 years. Organizations running SAP systems may have stock in a plant that doesn’t belong to the company. If that’s the case, what regulations apply? Any decommissioning strategy must adhere to cross country and cross regulation requirements to fully comply with data sovereignty requirements. Data privacy has been a requirement for organizations operating in EMEA for several years, but new data privacy laws continue to come into place around the world. These may include an obligation to delete or anonymize data when requested. In an SAP environment, this may involve deleting all related transactions to a customer before the customer can be deleted in order to maintain database integrity. This can be a complex project and might impact reports that might still be desired for other purposes. Some data archiving tools, like that offered by TJC Group, can allow organizations to remove a customer name from a sales order and sales report even after archiving has occurred. This makes addressing data privacy requests much easier.

Implementing a Data Archiving and Decommissioning Strategy

The organizations that TJC Group works with fall into three main categories which represent their levels of maturity in their data management. Some have a corporate decommissioning strategy where they identify legacy and future legacy systems. These types of organizations are looking for or implementing an organization wide strategy to manage system decommissioning. Others just want to deal with decommissioning a specific legacy system. Some at this level of maturity may see this first system as a pilot or first step into a broader decommissioning strategy. But the largest group are SAP customers that are transitioning to SAP S/4HANA. Julien says that most organizations that are moving to SAP S/4HANA are just trying to move the data that they need to run their future business effectively. They aren’t interested in moving 20 years of historical data into SAP S/4HANA and are usually focused on the last few years. However, at some point these organizations will need details of the source information for audit purposes because it is necessary to see the data in the system of origin. That may means going back to the SAP ECC system because moving data to SAP S/4HANA does not build traceability. Even when the organization does a system conversion, the data that is moved into SAP S/4HANA can be changed or filtered. This means that the new system cannot function as a tax archive for audit purposes except for data that is created in it after it is deployed. This is where vendors like TJC Group, that have solutions to manage data decommissioning, can provide significant benefits to companies moving to SAP S/4HANA or implementing a data decommissioning strategy. TJC Group’s Enterprise Legacy System Application (ELSA) extracts a detailed audit report of all data which includes proof of completeness. Decommissioning solutions that do not provide this level of detail will not meet audit requirements which can require at least seven years of historical data. This does not even consider how data privacy requirements may impact these data archives. Julien recommends that organizations starting a decommissioning strategy build a technology map that identifies legacy and current systems with the target being identifying the technology that can be removed. This allows them to use the decommissioning as a way of getting rid of their technology debt. A volume reduction in data may also be achievable, but the size of the reduction will depend on whether or not the data will need to be accessed in the future. There are also financial benefits both in terms of maintenance of legacy systems and avoiding potential financial penalties, but Julien likes to emphasize the non-financial benefits. If a data decommissioning strategy does not deliver peace of mind, Julien does not believe it has been successful.

What Does This Mean for SAPinsiders?

No matter where your organization is in their SAP journey, archiving data and decommissioning legacy systems are likely to be necessary in the future. Whether that is correlated with a move to SAP S/4HANA or in moving to new systems in the cloud, organizations must have plans for how they will manage data that needs to be retained. What are some steps that can be taken to help start with this process?

• Identify the legacy and future legacy systems in your enterprise landscape. The first place to start with a data archiving and decommissioning strategy is to fully understand how infrastructure and landscape plans will impact existing systems. This involves mapping out whether systems will be transitioned to new infrastructure, for example in a lift and shift to a new environment or will be replaced with new solutions running in different environments. Those that are legacy systems now or will become legacy systems in the future, will need plans for how the data in them will be maintained and archived.
• Understand which data privacy, residency, and sovereignty regulations must be complied with for archived data. Data in current systems should already be available to meet any audit requirements, but that may not be the case for data that has been archived. But before it can be determined whether existing archiving capabilities meet regulatory requirements, there must be a thorough understanding of which requirements apply. Are seven years of data required for audit purposes? Or do other regulations apply which extend that timeframe? It is impossible to effectively archive data without understanding which regulations apply to which data.
• Explore archiving and decommissioning solutions that will provide peace of mind. For years organizations could archive legacy systems by creating a virtual machine (VM) with a complete copy of the environment. Should any audit or privacy requests come up the VM could be started up. With GDPR this is no longer sufficient for security reasons. Organizations must put an effective archiving and decommissioning strategy in place that will support them for the future. Only solutions like TJC Group’s ELSA have the capability to fully meet archiving requirements while complying with regulatory requirements and help provide peace of mind about archived data being both secure and compliant.

About TJC Group

Experts in Data Volume Management, TJC Group helps organizations implement proven solutions for data and document archiving, data extraction for audit purposes, plus legacy archiving and decommissioning of SAP and non-SAP systems. Their solutions are SAP-certified and comply with the local legal and tax regulatory rules in every country.