The countdown toward GDPR is on. Friday 25th May marks the enforcement of the EU’s General Data Protection Regulation, and it’s not just IT and Technology sectors that are looking at a complete shift in culture – this will impact every industry, cloud-based or otherwise, that collects, retains, or processes personal data on EU individuals, regardless of physical business location.
In what is being dubbed as the biggest shake-up to the privacy and security landscape, data management will never be the same, with stringent rules on handling personal data, and the subsequent streamlining of its flow inside the European Union
With the threat of fines of up to 4% of a company’s annual revenue, or €20m (whichever is greater) for non-compliance, the mere mention of GDPR has had some companies quaking in their boots. Indeed, the demand for “accountability” and “transparency” has meant that the often neglected responsibilities that many would assume come as standard in data management are under internal scrutiny. That is, companies are scrambling to reach compliance in time.
Much of the GDPR advice being published is related to infrastructure – technology management, storage, and server security – which fails to address vital issues surrounding IT Asset Management and Discovery.
After 25th May, if a company is found to be in breach of GDPR, as well as dealing with the fine, there will be questions both internally, and from the GDPR auditors around how the company falls short. The IT Department, or rather the CIO, will be held accountable, and will need to be aware of:
GDPR means that data privacy and security is no longer an optional add-on, nor a “nice-to-have”, but an essential part of businesses processes. In order to answer these demands, IT leaders must invest in broader SAM competency and appropriate solutions and services from internal or third-party providers. Companies that suffer a data breach may not even be aware the source of the breach even existed on their network, but a mature SAM process prevents that scenario.
IT Asset Management is a key enabler on the journey to GDPR compliance. It offers full visibility of a company’s IT network as well as a reliable data source to present to a GDPR specialist, and as such, the IT department should now be using it to lead the way in developing a resilient data protection strategy.
Tracking IT Assets: Device discovery will provide a complete hardware and software asset inventory across the network. This is a key part of any Software Asset Management process, but crucially, it paves the way toward GDPR compliance. When choosing its Discovery tool, IT departments can ensure that their shortlist takes GDPR into account, meaning their chosen tool will mitigate the likelihood of non-discovered devices.
Monitoring access: A mature SAM programme will account for all software and all user access including traditional software inventory, and software-defined by installation, as well as user-based and subscription software (which is all the more common now due to BYOD). An up-to-date audit will reveal and pinpoint potential vulnerabilities in security, taking into account both direct and indirect access, and address whether any personal data is necessary to complete their tasks.
Locking down data: If the personal data being stored is not necessary for any business purpose, access should be removed, or the data erased altogether. Data encryption and security measures can be put in place if it’s necessary to continue to store the data, meaning only those who truly need access have it. Privacy is confirmed, data is secured, and the number one GDPR priority is met.
Software asset management has long been touted as essential in making informed business decisions around IT budgeting and spending within the business as a whole. But the nature of effective SAM means that it exposes flaws in a company’s knowledge of its IT network, highlights potential weak links that could reveal insufficient software licensing, or worse – gaps in security and privacy.
SAM is not a quick-fix, but the processes involved make it dual purpose. And although full GDPR compliance before the 25th May deadline seems like a huge task, having evidence of the efforts made to reach GDPR compliance shows a robust, risk-based approach to data security and privacy.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!