“Be Afraid. Be Very Afraid.” The Fly (1986)
The Data Protection Act (DPA) is metamorphosing into the General Data Protection Regulation (GDPR), and this could be a real horror story.
The GDPR, which was adopted by the EU in April 2016, and comes into effect in May 2018, has the potential to be an organisation’s worst nightmare, the implications of which should be keeping CIO’s up at night.
GDPR applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location and regardless of whether the processing takes place in the EU.
The data rights of individuals are extended beyond the current Data Protection Act and requires that organisations develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
Individuals have greater control over their personal data, they have to give consent and that consent has to be explicit and limited, and they have the right to request data, rescind requests, and revoke consent. As a result, an organisation will be expected to:
- Provide information to subjects about whether you have data about them, and how you are using it.
- Provide their data to them in a format that they can easily port to another provider.
- Cease use of and completely eliminate any and all records past or present of their data.
There must be notification of a data breach to the relevant authorities within 72 hours of discovery, unless the breach is not likely to harm a person’s rights and freedoms, and the individual must also be promptly notified.
Failure to comply with GDPR can have consequences, including fines and restitution, dependent on the data loss and the systems and technology that are in place. Fines can reach up to €20 million or 4% of the company’s global revenue, plus organizations can be subject to restitution for any harm from violating GDPR.
Operationally, an organisation will be expected to have the role of a Data Protection Officer (DPO), who has the responsibility and authority for the enforcement of privacy and compliance with applicable laws, and carry out regular Data Protection Impact Assessments (DPIA), to identify and address the risks to the privacy rights of individuals when processing their personal data. It will also be required to build a risk-based security program based on established best practices, to enforce the confidentiality, integrity and availability of personal data.
Organisations can’t simply outsource the liability for maintaining the confidentiality and integrity of personal data, they will need to have GDPR compliance language in all contracts when outsourcing the processing of personal data, and perform ongoing management of the vendors in their supply chain to ensure compliance.
While some businesses may feel that they are ready for GDPR, are they really? Is their IT department really ready for it, and more particularly is their IT Service Management (ITSM) team ready?
An ITSM tool contains lots of personal data, and therefore there are lots of considerations to be addressed for an IT department to be GDPR compliant. Any data, changes and requests relating to an individual, will be affected by the upcoming legislation, especially as a result of frequent integrations with other systems and methods of extracting data. GDPR will expose the fact that, currently, very little thought is given to data privacy.
It is essential that all members of the ITSM team, especially the IT Service Desk, are provided with specific awareness, education and training in GDPR and its implication to the way that they handle sensitive personal data and use it as part of their roles.
Furthermore, consideration will need to go into defining the policy around how sensitive personal data is captured in free-text fields, and what to do with any data that already is. This is important as it is likely to be a very labour intensive manual process.
The policy on the collection of all personal data, used in the ITSM system, will need to be transparent as users will be required to consent to their personal data being stored and will have the right to have it removed.
One of the main implications of the introduction of GDPR is that IT suppliers will now be jointly liable for any data breach, meaning that all policies, processes, procedures and contracts businesses relating to the handling of personal data will need to be reviewed and potentially overhauled. This will have implications across, not just service and system providers, but also the suppliers of cloud computing and storage.
There will also be a significant impact on the way that an IT department manages its IT assets, not just the recording of an asset owner’s name, job title and email address, but also knowing what devices are deployed, where they are, who has access to them and what data they access.
It is not good enough to know just the companies soft inventory. A significant proportion of security breaches are internal, either deliberate or through negligence. Knowing who has access to key software applications and data, and who actually uses them will enable the identification of the source in the event of a security breach.
And then there are the processes that underpin the IT Service Management, what are the implications of GDPR to them? Is the Incident Management process up to the task of quickly recognising potential data breaches and are there clear procedures that need to be followed? Is it the responsibility of the Problem Management process to prevent security breaches ever happening?
This just touches the tip of the iceberg, emphasising the point that GDPR is not just a technical issue, but a cultural and organisational one as well, that impacts across the breadth of an IT Service Management team.
Compliance with GDPR requires a new culture around data safety, one that is strictly process-based and is reinforced across a whole organisation. ITSM tools and processes are not areas that businesses can approach as an afterthought, to avoid a potential horror story, it is essential that the ownership for change is taken now, otherwise, the business will risk a considerable fine for non-compliance and the CIO will continue to have sleepless nights.
If you would like to find out how iCore can help you with your IT service management requirements then please contact us on 0207 868 2405 or email info@icore-ltd.com.