You’ve got already an ITSM tool and you are wondering whether you need a separate tool to become GDPR-compliant? Why don’t you enhance your ITSM tool to get the job done!
Any flexible, modern ITSM tool will allow you to add a data privacy application. Let me outline the things you need for the GDPR-compliance:
Personal Data Map
Knowing what personal data your enterprise processes is one of the most crucial efforts for the GDPR-compliancy. This means that you need to create one complete map of what personal data is stored in which enterprise application. And once you created such a map, you need to create a new record for each new enterprise application you introduce.
You will need to create fields for who is the business owner of the application, who is the Data Privacy Officer, which is the responsible supervisory if things go down South, and ideally also a list of impact services and possible impact of “loosing” the data processed in the application.
Privacy Breach Incidents
Incidents are incidents. Looking at the big picture and looking from a tool perspective, incidents related to privacy breaches are not that different from IT incidents. Naturally, a workflow for personal data breaches includes a different set escalations (to the CSO, DPO and/or CIO) and can include automatic notification of the supervisory authorities. A modern tool should have a dedicated workflow for privacy breaches.
Data Privacy Tasks
You probably want to track what needs to be done until May 2018 in regards to GDPR compliancy. A simple task list will help you to keep a single record of what’s going on and what needs to be done still. If you have already tasks for your service desks, then you probably can create easily a new template to manage the tasks. If not, then it should be few hours to configure such a task list, the reports and manage the permissions for the relevant people.
According to the GDPR, any person your enterprise is working with has the right to request that the enterprise “forgets” their personal data (which means in clear text erasing or anonymizing data). While there is no 100% certainty yet which personal data this truly refers to and how far back in the archives, I’m confident that every organization will need to provide employees, suppliers, and subcontractors the means to request to be forgotten. This can be arranged on the enterprise self-service portal connected to your enterprise service management solution.
Recording the request to be forgotten in the service desk is one thing. Which workflow needs to be executed to remove personal data comprehensively from various enterprise applications is still a little mystery to me. Probably, it’s smart to set up a process to remove a person in the identity management solution which then again triggers the removal of the same person in other connected applications.
In summary, the IT management needs to provide the tools to process GDPR-related data and requests. In many cases, the existing solution can be enhanced to also run the GDPR applications. In some cases, GDPR might be a great excuse to reconsider whether it is time to stick to the old ITSM tool or whether to get a real service management solution that is designed to scale with your business.
If you want to know more about the GDPR and how Efecte can help you, please do contact us and we will help you designing a Data Privacy Solution.