Starting on May 25th, you must report an incident that relates to personal data to the supervisory authorities within 72 hours according to the new EU General Data Protection Regulation.
Is your IT organization fast enough to meet the deadline?
The privacy of personal data is at the heart of the new legislation. There is no hiding anymore when it comes to “loosing” personal data. You must report such incidents. You need to have the process in place to inform both the impacted persons and the supervisory authorities in the European Union. And you need to be fast. 72 hours seem to be plenty of time, but how long does it take you to analyse the true impact of the security incident, define the reach of affected persons, and escalate actions accordingly? Who is in charge of approving the notification to the supervisory authorities? Who reviews the message to the impacted persons? Suddenly, 72 hours may not sound like that much time anymore.
Here are four things you can do with your ITSM tool to comply with the new legislation:
- Design an automated workflow with notifications, approvals and escalations
- Create a set of pre-approved messages for different scenarios
- Manage a list of supervisory authorities and their contact information
- Maintain a data map of which application holds which personal data
1. Design a GDPR incident workflow
If your ITSM tool allows creating new workflows on your own using codeless design, then you should create a dedicated workflow for GDPR-related incidents. This helps your organization to process the issue in a formal approach without missing a step that may become costly later on. The workflow should include – besides the usual incident-related tasks – the notification to the CISO, CSO, and/or CIO, the task of notifying the supervisory authorities and the impacted persons, as well the escalation if things don’t get done within the 72 hours deadline.
2. Create a set of pre-approved messages
Make sure you do have message templates available for different scenarios. There are many ways to get in trouble in regard to keeping personal information safe, but ultimately the things you need to communicate according to the legislation are limited. These should be reviewed at least with your legal and communications team. Having these pre-approved will speed up things massively. Nothing is worse than waiting for the approval of departments that do not work 24/7.
3. Manage a list of supervisory authorities
The contact information of all supervisory authorities in the European Union is public information. I still suggest that you maintain an active list of contact information in your IT organization. Searching the Internet under the stress of an upcoming deadline can be frustrating. And if your ITSM tool can be extended to host alternative data structures cost-efficiently why not store this data in the same central location? In this way, you got the contact information close to your workflow.
4. Maintain a data map of which application holds which personal data
Imagine you are getting a report that some rogue ex-employee has downloaded all personal information from the CRM application. How long does it take you to know which persons are impacted (sales, marketing, who else?), who is the responsible business owner, who is the Data Privacy Officer in charge, and what are the supervisory authorities relevant for this application? Wouldn’t it be nice to actually have a central record for such data? Well, your ITSM tool should stretch to hold data map of personal data (see illustration below for an example implementation). This will save you hours of time when racing towards the 72 hour deadline.
The GDPR is part of our IT industry and it is here to stay. You, as an IT Service Management leader, can be a change agent in creating the best practices in your organization.
If you need help to understand how to design dedicated workflows and new tables for managing GDPR data, then do not hesitate to contact us.
Read our previous blog posts on how IT Service Managers can prepare for GDPR
Disclaimer: Please note that the statements above are not intended as legal advice.