Supporting GDPR with Software Asset Management
How SAM will assist in preparing your organization for GDPR
You’d be hard pressed to find anyone in the IT business who hasn’t got 25th May 2018 highlighted in their calendars. It’s the date that the The EU General Data Protection Regulation (GDPR) will come into effect, and is considered to be the biggest shake up to data management we’ve ever seen.
GDPR was designed to address the shortcomings in the existing data rules; the Data Protection Directive (DPD), covering personal data – like names, addresses, phone numbers, account numbers, and email and IP addresses – and hones in on individuals’ privacy and security. It requires companies to carefully consider where personal data stored, who has access to it, and how they are protecting it from data breaches through encryption.
Applying to all EU member states, if they handle GDPR-affected data they must follow the new standards for data management. Every member state will employ a Supervisory Authority to handle complaints and offences. These authorities will work collaboratively in joint operations through the European Data Protection Board (EDPB), with a lead authority heading up several individual Supervisory Authorities where an organisation has multiple locations across the EU.
Key Changes as a result of GDPR
The official GDPR Portal offers insight into the key changes the GDPR brings, which are:
● Full protection, even if data processing takes place outside of the EU
● Intelligible, legible, accessible terms and conditions for consent
● Large fines as a result of violation of the regulation
● Mandatory customer notification of data breaches
● Greater transparency in how personal data is being used
● The “right to be forgotten” and access any data submitted
● Security must be at the forefront of data management systems, not an add on
● Consistent internal record keeping requirements for all organisations
The consequences of GDPR non-compliance
Very high profile fines. If an organization is found to be in breach of GDPR, they are subject to fines of up to 4% of their annual global turnover, or €20M (whichever is greater); a substantial increase on the penalties currently in place and which, for many, could threaten the future of the business both financially, and in terms of reputation and shareholder involvement.
What do companies need to do to prepare for GDPR?
“Rules” for preparing for GDPR are still ambiguous. Relevant training for employees will be essential, and new processes for security will need to be implemented through the organization, not just in IT. Although methods for collecting and storing data, and securing software and servers will have been under scrutiny for months, the technology involved will be called into question under GDPR. This will no doubt involve the introduction of new, “state of the art” technologies, which could, and should, help automate the security of data – which begs the question…
What is the role of IT Asset Management in GDPR preparation?
How SAM supports GDPR
In a nutshell, in order to establish full data protection, companies must know their entire IT estate inside out, which means no device, no user, and no software instance goes undetected. Sound familiar?
Discovery, the act of tracking all IT assets deployed across the network, delivers both hardware and software audit information. This is obviously a major contribution to GDPR compliance, and highlights the ITAM manager’s essential position in preparation for the regulation coming into effect. SAM data offers that first step on the journey toward GDPR compliance:
Step One: Detailed Network Inventory Information
A full hardware and software inventory using both client Agents (where it is preferable to do so) and Agent-less (for particularly sensitive parts of the network) auditing technologies will provide full asset knowledge. The larger the number of non-discovered devices on the network, the greater the risk of a breach of GDPR.
Step Two: Who Holds What and How?
Beyond software, you will need to understand users. You will need to check what software access they have, whether they’re holding personal data, and whether access to that data is necessary for business purposes. Should a security breach occur, and often these are sparked internally (accidentally or otherwise), it is far easier to trace the source if a SAM tool is deployed, listing how key applications are being used.
Step Three: The Big Clean Up
If personal data is not necessary for business purposes, it should be deleted. If it is necessary, you need to know if access to it is limited to only those who need to see it, otherwise security measures will need to be put in place to restrict access. Encrypted devices are protected even if they are lost or stolen, or in the event of a security breach.
Remember: Staff and suppliers’ data must also be protected under GDPR.
An effective SAM Solution to prepare for GDPR
If your organization doesn’t have an adequate ITAM tool or SAM solution in place, now’s the time to get one. More clarification on what the necessary “state of the art” technology might look like would be helpful, but tackling a lack of visibility of the IT estate should be the ITAM Manager’s first port of call, or they risk failing their organizations when it comes to GDPR compliance.
Find out how we can help with ITAM and GDPR.