May 25th, 2018 has become familiar to most IT managers as the deadline to comply with new EU General Data Protection Regulation, best known as GDPR. Replacing Data Protection Directive 95/46/EC, GDPR was designed to harmonize data privacy laws across Europe, and to better protect and empower citizens’ data privacy. It substantially reshapes the way organizations across the region approach data protection and security, with a relevant impact on IT policies and processes.
The definition of ‘personal data’ is quite vast, as any employee, customer, supplier or partner transaction triggers record covering company and individual pieces of information, some of them to be considered as ‘sensitive’ and requiring specific attentions. All organizations within EU are now asked to treat and store these data only upon explicit consent of the interested party, and ensure legitimacy and adequate protection of any data management activity. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million: the maximum fine can be imposed for serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
Mapping personal data stored by the company is therefore the essential starting point for compliance, and helpdesk and IT service teams should be looped into any GDPR compliance program. They can offer valuable support in the preliminary data audit steps and check that appropriate data protection and security processes are in place, either they are managed with internal software and tools, with external providers or in the cloud. Alignment of IT Service Management procedures is also formally required to carry out Data Protection Impact Assessments (DPIAs) and demonstrate that the company complies with the Privacy By Design approach.
GDPR is probably adding some workload to IT staff, as the new regulation imposes stricter collaboration with other corporate functions (starting from HR and customer-facing teams) and affects how IT services are delivered and tracked over time. However, the EU regulation is also an opportunity to improve ITSM processes and put individual privacy at the core of present and future IT decisions.
Considering recent scandals about unauthorized and illegitimate use of personal data, virtuous organization can leverage GDPR to keep up with people expectations around privacy and data protection.