The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, is a privacy regulation aimed at protecting the personal data of EU residents. The GDPR defines personally identifiable information (PII) as any data that can be used to identify an individual, either alone or in conjunction with other data. If an organization gathers personal data from EU residents, they must comply with the GDPR regardless of where they are situated.
In this context, MSPs are likewise subjected to the GDPR because they collect, store, and handle PII. Personal information that MSPs deal with on a regular basis includes:
- Names, residential addresses, phone numbers, and email addresses of customers and staff members.
- Staff information, including current role, department, and employment history.
- Account, incident, service request, problem, and change records containing users' names, designations, seating locations, etc.
- Identifiable information about devices issued to staff, like IMEI numbers for mobile phones.
- Details about technological support provided to customers or staff. For example, information on any assistive technology (e.g. screen readers, speech-to-text technology) used by differently-abled employees.
What should MSPs do to prepare for GDPR compliance?
Data collection
- Mark fields in the service desk tool that store personal data
- Encrypt fields in the service desk tool that store personal data
File exports
Control, monitor, and password protect all file exports
Audit logs
Maintain a complete, tamper-proof, and delete-proof log of all actions on personal data
How does ServiceDesk Plus MSP help you begin your GDPR journey?
PII fields in templates
Mark a data field as PII to quickly identify PII from other data when adding an additional field to a template.
Fulfill users' right to be forgotten
The right to be forgotten is one of many rights granted to individuals by the GDPR. Users can therefore request that an organization remove all of their personal information, or anonymize it if doing so would interfere with company operations or legal requirements. To honor their right to be forgotten, you may now anonymize users' names and totally remove all of their PII in ServiceDesk Plus MSP.
Encrypt sensitive data
One of the critical aspects of the GDPR is the protection of sensitive data. ServiceDesk Plus MSP now offers the option to encrypt sensitive information that is collected and stored from Request Additional Fields. Picklist fields, multiple-line fields, and single-line fields can all be encrypted.
Utilize password protection for backup data
Any unauthorized attempt to open or restore the backup file for ServiceDesk Plus MSP will fail as it will be password protected while setting up the backup process itself.
Anonymize deleted users without losing the log of all actions
Data on users who have been removed from the application can be made anonymous via the Deleted Users view. Even after users and their PII are removed from the application, a record of all user actions is retained in the system for future audits.