The GDPR and ITSM
Implemented on May 25th, 2018, the GDPR is a regulation drafted by the EU to protect the privacy of EU residents. It brings together a set of rules that provides these individuals with rights over their personal data.
IT service management (ITSM) sits at the heart of every IT infrastructure, providing the IT support businesses need
to achieve their goals. Key aspects of the GDPR in the context of ITSM
Any information relating to a data subject (identified or identifiable natural person)
Person - Name, Phone, Email, Company, Designation, Address and Location.
Access - Login ID
Asset - IP Address, MAC Address, IMEI, UDID
Who are the key players?
Data controller - A person who decides how personal data is going to be processed.
Data processor - A person who processes data on behalf of the controller.
Are you using IT service desk applications?
You could be both the data controller and the data processor if you use on-premises applications.
You are the data controller while the cloud vendor is the data processor if you use cloud applications.
What are the key data subject rights under GDPR?
Right to access
Right to be forgotten
Right to rectification
Right to data portability
Right to object
Right to restriction of processing
What are the key aspects of ITSM influenced by the GDPR?
Here are the
8 key aspects of how GDPR impacts ITSM:
User management: Manage users, create user roles and groups, manage access privileges, and maintain an accurate database of all users.
Request management: Maintain channels for raising requests, facilitate request fulfillment, and manage the complete request life cycle.
Change management: Update an old system (e.g. patching or software upgrades), or create a new system (e.g. setting up a data center).
Asset management: Commission, maintain, decommission, and take inventory of IT assets. Reporting: Measure the performance of the IT service desk,
and continually improve productivity. Notification and communication: Streamline the constant flow of information moving in and out of the IT service desk.
Maintenance activities: Track and maintain the list of necessary, repetitive tasks that address the overall health of your IT infrastructure.
Integrations: Seemlessly integrate with other tools used in your organization to implement a
change or fulfill a request. What are the IT service desk practices that could compromise data privacy?
Let's take a look at some of the IT service desk practices to
prepare for GDPR compliance.
Using a common request template for all types of requests.
Being unable to distinguish between PII and non-PII.
Sharing files in forwarded email chains.
Failing to protect access to files and archives.
Exposing data to other teams while processing a request.
Storing or accessing user data even when it's no longer required.
Forwarding email chains to share files among stakeholders and their teams.
automated notifications to unintended recipients. Exposing data to other teams while processing a request.
Leasing out assets without implementing security measures.
Neglecting to audit access to asset information.
Forgetting to revoke
remote control access after intended use. What are the IT service desk measures to ensure data protection?
Identify PII so you won't miss it during deletion.
Collect only required information.
Use file sharing to share information with other teams.
Password-protect any files that contain PII.
Encrypt archived data.
Anonymize personal data upon deletion of user.
Create roles for triggering notifications.
Regularly audit the automated notification settings.
Restrict access to viewing, editing or deleting data with user roles.
Create security procedures for leasing assets.
Maintain a record of
asset history. Revoke access whenever the intended action is completed.
What are the GDPR features to look for in an IT service desk tool?
Take a look at the
list of GDPR features which helps to begin your GDPR journey:
Personal data encryption
User roles that restrict access to data
Activity log tracking
Password protection of files