01. 04. 2018 Luca Buonocunto Service Management

Data Breach vs. ITIL Incident and Problem Management Processes

The GDPR legislation that will come into force on May 25, 2018 introduces, among the various obligations of the Holder of the personal data, the reporting of Data Breach events to the privacy Guarantor within 72 hours (and in any case, without delay), where a data breach includes any event concerning the violation of personal data stored by the data controller. This new standard will not only impact the strictly technical aspect of IT infrastructure, but will lead to a revision of the concept of IT Governance and its processes.

Often, problems related to the GDPR are dealt with only by a technical approach. But we shouldn’t forget about the need for the good governance of the IT processes that underpin them.

It is indeed no coincidence that the legislation speaks of the need for a “procedure to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to ensure safety of the treatment.”

We are clearly in the sphere of IT Governance.

One case I can mention concerns the management of incidents resulting from a Data Breach event: It must be clear that the categorization and registration of an Incident cannot be exempted from the requirement to include all the information related to countermeasures designed to cope with such events. It’s not just about collecting and recording information (the technical part of the solution) but about integrating this information within a process and managing its lifecycle, showing that you have done your best to avoid the data privacy breach in the first place!

In this specific case, the link between Incident and Problem processes is of fundamental importance in order to verify and confirm the validity of the remedy measures as shown in the table below.

GDPR Article 33	ITIL Concepts	Supporting Tools
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.	Data Breach Incidents will be classified as Incidents with high Severity with an immediate trigger to Problem management in order to: Immediately trigger communication with the Controller Analyze the root cause of the data breach Incident Initiate and coordinate the work for appropriate corrective actions in order to avoid a Data Breach in the future and show YOU CARE about privacy – this will be the real differentiator when facing the Controller.	EriZone: For the design and execution of Data Breach Incident Management flow in your Organization, you will define who is responsible for what and how quickly your response is required. GLPI and NetEye: For Risk and Impact Assessment throughout the infrastructure, and to have a sound basis for the evaluation of the Incident Severity via the punctual analysis of your Assets

The table above is just a brief example of what you can do by adopting the ITIL approach in your Governance Model in order to take full advantage of the features offered by EriZone and NetEye.
By adopting a Process Approach, you can tackle the various aspects of GDPR requirements holistically, while also being able to understand how your resources will be impacted by any requested implementations.
From this moment on, you need to make privacy a critical part of the vision and strategy of your organization. You can use EriZone and NetEye to distribute the value of ITIL Process adoption across your network, addressing and budgeting for all aspects of GDPR.