While understanding of GDPR has improved, the specifics of how it will impact functions such as the service desk are not as clear. ITSM and security expert Stuart Rance explains what to look out for.
The new EU General Data Protection Regulation (GDPR) comes into force in May 2018, and if your organisation is not already well prepared then you need to take urgent action right now. If you’re not familiar with GDPR then you can read my blog How to Explain GDPR to a 5 Year Old for an overview of the key ideas.
If you have a separate IT security team who take responsibility for security and data privacy then you may think that they can take care of everything to do with GDPR for you, but this could not be further from the truth. GDPR affects every part of the business, including your marketing department, sales, legal, HR – anybody who controls or processes personal data, or sets the rules for how this should be done.
In this blog I’m going to share some thoughts about how GDPR might impact your IT service desk.
What personal data does the service desk use?
The first thing you need to do is to think about what personal data your service desk uses. I can give some examples here, but you need to do this analysis for your own service desk. You need to ensure you think about everything they do, and all the data they use. Examples of personal data that a service desk might use include:
- Names, private addresses, and personal phone numbers of employees or external customers
- Information about technology that has been issued to support disabled employees
- Information about staff, including current roles and employment histories
- Incident records, which may include a wide range of personal information supplied by the people who describe incidents
- Service request records, especially if your service desk supports functions such as HR and legal, as well as IT
How does the service desk use this data?
You need to think about all the information you store on your service desk, and ensure that you can answer questions like:
- What personal data do you store on the service desk?
- How do you process this data, and what do you use it for?
- What is the legal basis for such processing? For example, you may have permission from the people whose data you process, or it may be essential to enable delivery of a service that they have requested.
- Who can access the data you hold, and have they been trained to understand their obligations under GDPR?
- How is the data protected? Have you carried out a risk analysis to ensure that this protection is appropriate?
- How do you maintain the data? What checks do you have to ensure it is accurate? How long do you keep it for?
There are many other questions you may need to consider. What’s more, you don’t just need to think about all the questions relevant to your organisation, you need to keep records to show that you have done so.
How will your service desk respond to requests from data subjects?
GDPR gives data subjects a number of rights, for example, they can demand a transportable copy of any data that you hold about them. What will your service desk agents do when someone calls them and asks to exercise one of these rights? Do you have procedures in place, or does the service desk know where to send the request?
You need to think about how you are going to respond to these requests, and put in place the right procedures and training to ensure that your service desk does the right thing when necessary.
Your service desk needs to be ready for GDPR before it comes into force in May 2018. There’s lots of work to do to ensure that you understand what data the service desk controls, how they process this data, how they protect the data, what gives them the right to use this data, and how they are going to respond to requests from users. Once you do understand all of this, you need to train all your service desk agents so that they know what they need to do, and are ready to do the right thing.
The clock is ticking, you don’t have much time…