In this post, and in the one that will follow in the next weeks, I would like to analyze the role of IT Asset Management in adapting to the new General Data Protection Regulations (GDPR).
In this first article I will briefly introduce what the GDPR is, what measures it introduces, and how the IT Asset Management (ITAM) can support it.
In the next article, I will list the modules provided by NetEye, our IT System Management solution, for the ITAM implementation.
Introduction to GDPR
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. Wikipedia
The regulation applies if the data controller (the organization that collects data from EU residents), the processor (the organization that processes data on behalf of the data controller, e.g., cloud service providers) or the data subject (person) is based in the EU. Furthermore, the regulation also applies to organizations based outside the European Union if they collect or process the personal data of EU residents.
The GDPR is designed to address weaknesses in the existing data rules and requires companies to carefully consider where personal data are stored, who can access them, and how they are protected against potential breaches.
GDPR: Key Changes
The official GDPR web portal provides an overview of the main changes, summarized here:
- Increased Territorial Scope (extra-territorial applicability): the GDPR is applied to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location
- Penalties: Under the GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
- Consent: The conditions for consent have been strengthened, and companies will no longer be able to use long, illegible terms and conditions full of legalese.
- Breach Notification: breach notification will become mandatory in all member states where a data breach is likely to “result in a risk to the rights and freedoms of individuals”
- Right to Access: data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
- Right to be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability: the right of a data subject to receive the personal data concerning them, which they have previously provided, in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
- Privacy by Design: The controller shall implement appropriate technical and organizational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects.
The Privacy Guarantor and the GDPR
The Privacy Guarantor enumerates the main issues that companies and public entities will have to address for the full implementation of the regulation, scheduled for May 25, 2018.
Priorities suggested by the Control Authority can help you to define how to adapt your processes, to upgrade your technology and to review your relationships with vendors. As reported in the guarantor’s guide, the great innovation of GDPR lies in an approach based on accountability.
The regulation emphasizes accountability on the adoption of proactive behaviors to demonstrate the concrete adoption of measures to ensure the application of the Regulation ( see Articles 23-25, in particular, and Chapter IV of the Regulation). This is a large change to data protection regulation as the task of deciding independently on the modalities, guarantees and limitations of the processing of personal data (in compliance with the regulatory provisions) is placed on the owners.
The major vendors and the GDPR
Even the major IT vendors have indicated their approach to the GDPR:
The regulation does not just require adaptation in the immediate future, within the 25 May 2018 deadline, but also constant management and supervision, so it is important to define business processes that will enable regulatory compliance over time.
The role of IT Asset Management in GDPR compliance
For GDPR compliance, most software is designed focusing on server security and software and infrastructure management. However, to correctly protect data, every company should analyze the IT resources used to elaborate, transmit, analyze and archive the data entrusted to them.
As defined by Garther, IT asset management (ITAM) provides an accurate account of technology asset lifecycle costs and the risks to maximize the business value of technology strategy, architecture, funding, and contractual and sourcing decisions.
Full visibility and a detailed inventory of all IT resources are the key to a strong security and compliance position. This means that every device, software installation, and user should be properly counted and correlated.
In case of an IT breach for example, you need to answer the following questions:
- What: What are your IT assets? Which software is installed on your devices?
- Who: Who has access to devices and applications? Who is assigned to the devices?
- Where: Where are these devices? How have they “moved” over time?
- How: How are they related to each other?
By answering the above questions, ITAM can contribute to GDPR compliance. Thanks to an IT Asset Management solution, you can:
- Protect the company’s investments and recognize what they are, where they are adopted, and whether those resources are used efficiently;
- Know exactly which hardware and software you have;
- Respond efficiently in case of data breaches;
- Improve the purchasing process;
- Optimize software usage;
- Allow for proper allocation of the budget
- Manage the asset life cycle;
- Manage contracts and documentation for each asset in use (hardware, software, licenses, business applications);
- Monitor the expiration of contracts, software licenses, and hardware maintenance;
- Define a correct purchasing strategy;
If your organization does not have an appropriate ITAM tool, maybe it’s time to implement one … to avoid failing to comply with the GDPR.compliance, GDPR, ITAM, NetEye