All companies which use IT Service Management (ITSM), whether controlled internally or outsourced to third party processors, will be bound by a new set of data protection regulations, the General European Data Protection Regulations (GDPR), which comes into effect on 25 May 2018.
The new law enforces even stricter rules than the existing Data Protection Act for storing and transferring EU citizens’ personal data.
GDPR will have direct impact on ITSM users once it comes into force, of which you now have less than one year to prepare. However it’s not quite the quick fix that many ITSM users and suppliers are hoping for. Start now, and you may be compliant just in time; start later at your own peril, as all organizations will also be required to prove compliance and provide all the necessary documentation or risk significant fines.
One of the main changes of GDPR to ITSM users is that their suppliers will now be jointly liable for any data breach. This means that all businesses handling personal data will need to overhaul their policies, processes and procedures, including ITSM, to prepare for GDPR before it comes into effect.
Impact of GDPR on ITSM
All organizations using ITSM will need to provide specific awareness, education and training for all data handlers as a starting point. This is a highly-complex and timely process, affecting hundreds if not thousands of staff depending on the size of the organization, and needs to address all possible incidents that may contain sensitive data by safeguarding processes and risk assessments.
It gets further complicated for organizations using free format text fields, as they will now be required to provide extra training and support for their service desks so they can properly examine the input of data and scrub any personal or sensitive data. This will be a laborious manual process.
ITSM users will also need to have a transparent policy for request management, a policy on the collection of personal data that is held in Incident and Change Management, as well as carrying out regular performance surveys which under the new regulation will require explicit consent from the users who will be chosen.
In addition, explicit consent will be required from users who are likely to raise incidents or authorize or implement changes, with very careful consideration going into the process of what can be entered into the free text fields.
Furthermore, there will also be significant impact on the ownership of IT assets in configuration and asset management, as asset owner’s name, job title and email address are all present in both of these modules.
Data Compliance for ITSM
ITSM contains lots of personal data, thus requiring many adjustments for GDPR compliance. Any data, changes and requests that can identify a natural living person is affected by the upcoming legislation, and as extraction tools and Integrations are very common with core ITSM applications, currently very little thought is given about data privacy. GDPR will expose this functionality.
Non-Compliance
As mentioned, there will be hefty fines for any data breaches, and now the legal recourse for breaches includes both processors and third-party suppliers. A lot of ITSM tools are cloud based, so non-compliance can also affect cloud computing and storage suppliers, which adds increased layers of complexity. Besides the potential fines, the adverse publicity and reputation of the brand will likely be affected, losing the trust of customers, suppliers and even employees.
Ultimately, ITSM and how it integrates across all organizations needs to be focused 100% on privacy by design and default going forward.
Why GDPR
Once GDPR comes into place, personal data can only be able to be gathered legally under strict conditions; not only will the regulations require persons or organizations which collect and manage personal information to ensure the protection of the data from misuse, but to also respect the rights of the data owners which are guaranteed by the EU law.
GDPR will likely affect ITSM users in the following ways:
Increased Territorial Scope
Any business outside EU collecting personal data about EU Citizens is now in scope
Tougher Sanctions
€10M or up to 2% of Global Turnover. €20M or up to 4% Turnover for serious breaches
Wider Data Scope
Online identifiers, genetic and biometric data
Wider Supplier Scope
Data Controllers and processors will be under scrutiny. Joint Liability
Data Breach Notification
Mandatory to report certain data breaches to the supervisory authority without undue delay or within 72 Hours
More Individual Rights
Rights to rectification, rights to be forgotten, subject access requests, automated processing and profiling, right to object, right to data portability
Mandatory appointment of Data Protection Officer
Public Bodies, processing special categories of data, large scale systematic monitoring of public areas
Consent and Lawful Processing
More stringent principles for consent and lawful processing
International Transfers
More stringent scope
Accountability and Governance
Mandatory documented evidence of compliance
Subject Access Requests
Non-Chargeable and 30 day limit on response
Conclusion
Some large corporations have already begun their journey to compliance, mainly focusing on their HR and marketing databases, however there has been little or no focus to the ITSM toolsets.
While GDPR brings many wholesale changes to the way data is used, ITSM has its own niche issues that businesses can’t approach as an afterthought. With only one year to go, ITSM users and suppliers need to take ownership for change now, otherwise risk the considerable fine if non-compliant.