A GDPR cheat sheet for IT
service management

The GDPR and ITSM

Implemented on May 25th, 2018, the GDPR is a regulation drafted by the EU to protect the privacy of EU residents. It brings together a set of rules that provides these individuals with rights over their personal data.

IT service management (ITSM) sits at the heart of every IT infrastructure, providing the IT support businesses need to achieve their goals.

Key aspects of the GDPR in the context of ITSM

Personal data

Any information relating to a data subject (identified or identifiable natural person)

1. Person - Name, Phone, Email, Company, Designation, Address and Location.
2. Access - Login ID
3. Asset - IP Address, MAC Address, IMEI, UDID

Who are the key players?

1. Data controller - A person who decides how personal data is going to be processed.
2. Data processor - A person who processes data on behalf of the controller.

Are you using IT service desk applications?

• You could be both the data controller and the data processor if you use on-premises applications.
• You are the data controller while the cloud vendor is the data processor if you use cloud applications.

What are the key data subject rights under GDPR?

• Transparency
• Right to access
• Right to be forgotten
• Right to rectification
• Notification obligation
• Right to data portability
• Right to object
• Right to restriction of processing

What are the key aspects of ITSM influenced by the GDPR?

Here are the 8 key aspects of how GDPR impacts ITSM:

1. User management: Manage users, create user roles and groups, manage access privileges, and maintain an accurate database of all users.
2. Request management: Maintain channels for raising requests, facilitate request fulfillment, and manage the complete request life cycle.
3. Change management: Update an old system (e.g. patching or software upgrades), or create a new system (e.g. setting up a data center).
4. Asset management: Commission, maintain, decommission, and take inventory of IT assets. Reporting: Measure the performance of the IT service desk, and continually improve productivity.
5. Notification and communication: Streamline the constant flow of information moving in and out of the IT service desk.
6. Maintenance activities: Track and maintain the list of necessary, repetitive tasks that address the overall health of your IT infrastructure.
7. Integrations: Seemlessly integrate with other tools used in your organization to implement a change or fulfill a request.

What are the IT service desk practices that could compromise data privacy?

Let's take a look at some of the IT service desk practices to prepare for GDPR compliance.

1. Data request:

   • Using a common request template for all types of requests.
   • Being unable to distinguish between PII and non-PII.

2. Data access:

   • Sharing files in forwarded email chains.
   • Failing to protect access to files and archives.
   • Exposing data to other teams while processing a request.
   • Storing or accessing user data even when it's no longer required.

3. Nofitication:

   • Forwarding email chains to share files among stakeholders and their teams.
   • Sending automated notifications to unintended recipients.
   • Exposing data to other teams while processing a request.

4. Asset handling:

   • Leasing out assets without implementing security measures.
   • Neglecting to audit access to asset information.
   • Forgetting to revoke remote control access after intended use.

What are the IT service desk measures to ensure data protection?

1. Data request:

   • Identify PII so you won't miss it during deletion.
   • Collect only required information.

2. Data access:

   • Use file sharing to share information with other teams.
   • Password-protect any files that contain PII.
   • Encrypt archived data.
   • Anonymize personal data upon deletion of user.

3. Notification:

   • Create roles for triggering notifications.
   • Regularly audit the automated notification settings.
   • Restrict access to viewing, editing or deleting data with user roles.

4. Asset handling:

   • Create security procedures for leasing assets.
   • Maintain a record of asset history.
   • Revoke access whenever the intended action is completed.

What are the GDPR features to look for in an IT service desk tool?

Take a look at the list of GDPR features which helps to begin your GDPR journey:

• PII identification
• Personal data encryption
• User roles that restrict access to data
• Data anonymization
• Activity log tracking
• Password protection of files