Summary: It is essential that all members of the ITSM team are provided with specific awareness, education and training in GDPR and its implication to the way that they handle sensitive personal data and use it as part of their roles.
My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me.
Intent-based networking (IBN) is having its day as network administrators are looking to create policies and control data flow for compliance and network administration. Companies like Cisco, Juniper Networks as well as startups like Apstra and Forward Networks are betting big that enterprises will transform their technology to work around data flows. If “data being the new oil”, then compliance and administration of data workflows should be structured around where the data goes and who handles such data. What makes IBN compelling is that through the use of various types of hardware, API’s and machine-learning algorithms, IBN learns the network topology then automates data flow. If IBN is the next step in software defined networking, then certain teams would be responsible for this evolution in more than a technical perspective, particularly IT Service Management (ITSM).
Technologies like IBN are being touted as a way for ITSM to be proactive with monitoring while being predictive with automating and implementing. It’s an avenue for simplicity. As network architecture evolves and regulation formalizes around data, ITSM is increasingly responsible for the integrity and confidentiality of personal data but, alternatively, liability if personal data is mishandled. Three of the many areas of focus for ITSM that I will speak to are education, assessment and administration of data.
The GDPR goes into effect at a time when organizations are moving away from internal customer software to a hybrid environment of internal and external tools, job responsibilities of all layers of IT are altered. This means that all businesses – the business you interact with, the business that that business interacts with, and so on – handling personal data will need to overhaul their policies, processes and procedures to prepare for GDPR. ITSM is no longer your internal team.
With the growth of the cloud, API’s and software-defined architecture, understanding network architecture no longer is an internal process based on in-house products but one that all parts of the ITSM needs to understand. With regards to the GDPR, data is handled either as a “controller” or a “processor”. The term “processor” no longer means that there are policies in place for IT but also, each member of staff (both internal and external) must understand how to handle personal data but also what should be done in case of an incident. This hyper-awareness towards data and incident response will create a need for the ITSM team to understand their roles and how to handle personal data.
An example of the distinction between data controllers and processors is if company A uses an HR solution that runs on AWS, then not only is Company A responsible for the data but also the HR solution as well as AWS. While there are different responsibilities for both handlers of data, the issue arises when a data processor uses another data processor for personal data. Not only must your team be educated on policy but so should the HR solution as well as AWS.
Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessments (DPIA) identifies and addresses the risks to the privacy rights of individuals when processing their personal data. The new role of Data Protection Officer (DPO) is required to carry out DPIA’s as well as build a risk-based security program based on established best practices, to enforce the confidentiality, integrity and availability of personal data.
Operationally, GDPR makes it necessary for an organization to have the role of a Data Protection Officer (DPO). The DPO has the responsibility and authority for the enforcement of privacy and compliance with applicable laws and to carry out regular Data Protection Impact Assessments (DPIA). DPIA’s tell organizations that they can’t simply outsource the liability for maintaining the confidentiality and integrity of personal data. It creates an audit trail so that there is compliance language in all contracts when outsourcing the processing of personal data, and perform ongoing management of the vendors in their supply chain to ensure compliance.
After DPIA completion, it is time to look at how this data is managed over time. Some questions such as: How is the organization managing data?; What kind of security architecture is in place?; Is there encryption and IAM technologies in place?; Where is the physical location of data?; (Article 44 of GDPR restricts data transfers to organizations in countries that have similar security and privacy controls). Additionally, ITSM will be tasked with creating scenarios and plans based upon incidents that may occur both internally as well as with external tools. No longer will be there be an expectation that external tools are in compliance.
The GDPR has laid out principles for personal data use but the process is yet to be defined by various handlers of data within the organization. ITSM’s role and culture will change with this latest iteration of data security and privacy as technology will be forced to become more customer-centric. Then again, caring about the customer is what most technologies have touted from the outset. It’s time to put words into action.