In this post, and in the one that will follow in the next weeks, I would like to analyze the role of IT Asset Management in adapting to the new General Data Protection Regulations (GDPR).
In this first article I will briefly introduce what the GDPR is, what measures it introduces, and how the IT Asset Management (ITAM) can support it.
In the next article, I will list the modules provided by NetEye, our IT System Management solution, for the ITAM implementation.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. Wikipedia
The regulation applies if the data controller (the organization that collects data from EU residents), the processor (the organization that processes data on behalf of the data controller, e.g., cloud service providers) or the data subject (person) is based in the EU. Furthermore, the regulation also applies to organizations based outside the European Union if they collect or process the personal data of EU residents.
The GDPR is designed to address weaknesses in the existing data rules and requires companies to carefully consider where personal data are stored, who can access them, and how they are protected against potential breaches.
The official GDPR web portal provides an overview of the main changes, summarized here:
The Privacy Guarantor enumerates the main issues that companies and public entities will have to address for the full implementation of the regulation, scheduled for May 25, 2018.
Priorities suggested by the Control Authority can help you to define how to adapt your processes, to upgrade your technology and to review your relationships with vendors. As reported in the guarantor’s guide, the great innovation of GDPR lies in an approach based on accountability.
The regulation emphasizes accountability on the adoption of proactive behaviors to demonstrate the concrete adoption of measures to ensure the application of the Regulation ( see Articles 23-25, in particular, and Chapter IV of the Regulation). This is a large change to data protection regulation as the task of deciding independently on the modalities, guarantees and limitations of the processing of personal data (in compliance with the regulatory provisions) is placed on the owners.
Even the major IT vendors have indicated their approach to the GDPR:
The regulation does not just require adaptation in the immediate future, within the 25 May 2018 deadline, but also constant management and supervision, so it is important to define business processes that will enable regulatory compliance over time.
For GDPR compliance, most software is designed focusing on server security and software and infrastructure management. However, to correctly protect data, every company should analyze the IT resources used to elaborate, transmit, analyze and archive the data entrusted to them.
As defined by Garther, IT asset management (ITAM) provides an accurate account of technology asset lifecycle costs and the risks to maximize the business value of technology strategy, architecture, funding, and contractual and sourcing decisions.
Full visibility and a detailed inventory of all IT resources are the key to a strong security and compliance position. This means that every device, software installation, and user should be properly counted and correlated.
In case of an IT breach for example, you need to answer the following questions:
By answering the above questions, ITAM can contribute to GDPR compliance. Thanks to an IT Asset Management solution, you can:
If your organization does not have an appropriate ITAM tool, maybe it’s time to implement one … to avoid failing to comply with the GDPR.