GDPR compliance requires cooperation between departments and functions which are not typically asked to collaborate. Melanie Karunaratne of Ivanti explains the role IT teams must play to ensure GDPR doesn’t cause problems.
The EU GDPR (General Data Protection Regulation) will come into play on the 25th May 2018 and will be applicable to all countries that are member states of the EU, and all organisations that have access to, or use, EU citizens’ data. The UK government is also planning on strengthening data laws with a new Data Protection Bill which is very similar to the GDPR.
Despite many organisations at the SITS and InfoSecurity shows in 2017 claiming that their solutions could ‘solve’ GDPR compliance woes, no one piece of technology can do this because ultimately GDPR is a business rather than a technology issue. For example, defining a solid and practical breach notification process can only be established through discussion and co-ordination across departments.
Businesses seeking GDPR compliance require a combination of internal process and policy reviews and adjustments which technology can enable, but there is no silver bullet. The principles of ITSM are the cornerstones of a unified approach to GDPR which need to see IT and security teams and tools working together to achieve their common goals: compliance, business efficiency and minimised security risk. Together they should be able to handle assessment and mitigation of risk, policy enforcement, and data security. They should also provide a robust response to incidents and requests, and the ability to prove the organisations’ compliance to regulations like the GDPR… should the need arise.
No one piece of technology can (deliver compliance because) ultimately GDPR is a business rather than a technology issue
However, organisations should not just be looking to check a GDPR compliance box. This is an opportunity to evaluate existing activities and processes to implement a comprehensive plan that not only mitigates the risk of non-compliance but offers additional IT and business benefits.
So, how can IT and Security teams and systems work together to comply with the new regulation?
Know what’s in your network – the role of ITAM
According to Gartner, most organisations around the world are still unprepared for the GDPR. Perhaps this is because the first step towards GDPR compliance is an intimidating one: they need to locate all of their data. This first step requires the use of ITAM (IT Asset Management) which is a crucial tool to have in place at any stage of compliance because you can’t manage, protect or secure what you don’t know about. Data can be hard to pin down because there are often discrepancies in how data is stored and secured between regional and national offices and even departments. As well as this, BYOD (Bring Your Own Device) means that data is increasingly mobile and therefore challenging to track.
So, it’s important to establish your baseline before you can make adjustments – where is your data and how is it currently being protected? ITAM processes and systems integrated with security solutions and configuration management databases will support your data discovery process. They will also deliver data about services, networks assets (both on and offline), connected devices, apps and files, as well as who has access to these assets. In the process of discovering and managing your assets, you’ll likely pinpoint process weak points and security vulnerabilities that could be exploited. ITAM amplifies visibility and provides automated processes for tracking and managing assets so that data can be secured or removed if uncompliant or risky.
Implementing governance and response: the role of ITSM
Two significant parts of GDPR compliance are, firstly: organisations need to be able to produce a detailed report 72 hours after a breach has occurred which notifies relevant authorities and affected individuals. Secondly: organisations must respond swiftly to data requests from EU citizens who now have the right to know what data is being held about them and how it is processed and distributed.
ITSM can help organisations enforce, respond and comply with these requirements because it is by its very nature a workflow enabler. As we know, executing and enforcing defined processes is ITSM’s bread and butter. However, there is a balancing act between ensuring processes are adhered to and enabling productivity within the workforce. By combining ITSM processes and tools, you can streamline implementation and enforcement of policies through workflows as well as automating manual processes in order to improve efficiency.
ITSM can help organisations enforce, respond and comply with (GDPR) because it is by its very nature a workflow enabler
ITSM process and tools can play an invaluable part in supporting DPOs (Data Protection Officers). They can perform a range of important tasks, from managing data requests and incidents to simplifying audit reporting. As well as this, existing ITIL processes can be put to work to help manage data requests and incidents. For example, event, request and incident management can automate the processes required in order for organisations to be GDPR compliant. Change management processes should support the control of data flow and ensure that relevant changes to endpoints containing personal data are approved. SLAs (Service-Level Agreements) ensure that all GDPR requirements are met. Through automation and self-service we can set limitations for unauthorised applications, or promote file encryption to protect the IT infrastructure and data, while allowing flexibility through the offering of authorised services and even data access configured by role. In addition, a self-service portal is the ideal location for GDPR announcements or a knowledge base where employees can access information about the GDPR and how to respond to information requests or breaches.
As well as this, if a resident data request comes through, or a data breach takes place, your ITSM process and tools can be used to initiate a communications workflow with key stakeholders and ensure that all GDPR requirements are followed within the mandated time.
Couple this with encryption, and identity and access controls that limit administrative and privileged access, as well as data masking so that only those with sufficient requirement to do so can view personal user data. You can then take enterprise ITSM a step further by integrating it into broader business processes such as onboarding and offboarding in the HR department. In terms of the GDPR, proper offboarding is particularly important, as ex-employees should no longer have access to business applications and data. A lack of defined and automated processes can create a significant vulnerability to an organisation’s compliance – onboarding and offboarding that isn’t linked to the service desk simply isn’t good enough to protect your company.
Your ITSM process and tools can be used to initiate a communications workflow with key stakeholders and ensure that all GDPR requirements are followed within the mandated time.
Under GDPR, organisations need to be able to demonstrate compliance. Although no indication has been given that there will be external audits taking place if you haven’t suffered a breach, your GDPR strategy should still be auditable. Regular internal audits will ensure you remain compliant and your ITSM tools will ensure that you have access to all of your historical reports and dashboards in order to prove compliance to the authorities.
Ultimately, ITSM allows organisations to protect their reputation and budget by allowing them to physically show that they are doing everything in their power to reduce risk and counteract data breaches. Organisations that can show that they’re doing everything they can to comply with regulations like GDPR will also make their customers and partners feel safer – in essence, these streamlined processes are business enablers.
Secure data and prevent data breaches: the role of IT security
It’s safe to say that cybercriminals now understand the monetary worth of data – just look at all the high profile attacks that took place over the last year. Cybercriminals have been increasingly exposing vulnerabilities in systems and putting data to ransom. Under GDPR, if an organisation is attacked and also found to be uncompliant, the costs and reputational damage that they could accrue would be far greater than before.
An unprotected and unpatched OS, device, or user offers an access point into the network to attack data. Protecting these is key to reducing risk and preventing data breaches from happening in the first place. A layered approach to security should prevent attacks and protect personal data. Security teams can help organisations prepare for GDPR compliance by discovering vulnerabilities and keeping data secure with automated and ongoing patching of both physical and virtual systems. As well as this, application whitelisting, device control and application policies can reduce attack surfaces and defend against breaches.
Unified IT – working together for GDPR compliance
There is no doubt that in order to meet compliance requirements IT and security operations will need to come together. Unified IT will help ease GDPR compliance by ensuring that people, processes and technology are working at their best ability.
With a Unified IT approach, you’ll be able to effectively measure the risk across the organisation and assist in implementing a comprehensive GDPR compliance plan. The fulfilment of data requests can be more easily streamlined. If a data breach occurs, organisations will be able to better detect, remediate and respond to the incident.
For example, integrating reporting capabilities into data breach response processes will enable faster analysis and closure of data incidents. As well as this, you can unite IT and security teams by enabling them to see all reporting data on one unified dashboard. This dashboard should be able to report all relevant information to all teams in real time with a degree of clarity that is easy to understand for everyone, regardless of their expertise. This kind of integration will ensure smooth and automated communication and process handoffs between teams. Imagine if ITSM detects a change which is out of the ordinary – this can trigger an alert to security who can assess whether there is a potential vulnerability in the system.
This brings payoffs beyond your GDPR plan. A unified IT and security strategy will bring about greater visibility of your infrastructure and data; it will automate error-prone, labour intensive processes across teams; and it will bring in additional security controls that will strengthen a multi-layered approach to cyber threats.
Ultimately there is no one technology-based silver bullet that will solve the GDPR issue. GDPR is a business problem that the entire organisation must work together to tackle head-on, or face the consequences.