London, 25th May 2017
The implementation of the EU General Data Protection Regulation (‘GDPR’) is exactly 1 year away today.
The following excellent article by Phil Hames of The Business Software Centre explains the relatioship between SAM and GDPR.
The aim of GDPR is to strengthen individuals’ privacy and security rights, as well as to simplify the flow of personal data in the European Union (‘EU’). It applies to any organization, whether or not it is based in the EU that collects, retains or processes the personal data of EU individuals. It will be a key requirement for organizations to ensure that personal data held is secure, and to prevent data breaches through encryption measures.
The single set of rules will apply to all EU member states including the UK. Each member state will create its own Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. Individual SAs will cooperate with each other, providing mutual assistance and organizing joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its ‘lead authority’, based on the location of its ‘main establishment’. The lead authority will supervise all the processing activities of that business within the EU. Co-ordination of the SAs will be through European Data Protection Board (EDPB).
If in breach of the Regulation, organisations can expect fines of up to 4% of their annual global turnover or €20 million. These are significant increases on existing penalties. In many cases, if the fines are applied in full it could mean a significant threat to the future of an organization. Although the UK voted to leave the EU the GDPR will still apply. Firstly, the UK will still be an EU member when GDPR comes into force; and secondly, GDPR contains an extraterritoriality clause. This means that any data processor handling EU citizen data is within scope of GDPR, irrespective of the geographical location of the data processing. So if an organization handles data on EU citizens and organizations, or sells services, such as cloud and datacentre hosting, they will need to comply with the EU rules. It is also expected that the UK will permanently adopt similar rules in order to facilitate data transfer between countries. Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
Firms whose core business activities are not data processing are exempt from this obligation.
A large part of GDPR is about the processes and operational aspects of data protection. Relevant staff training and implementation of the correct security processes will need to be applied. However, in many cases appropriate technologies will assist an organization in automating the processes and treating data in the safest and most secure way.
GDPR is not prescriptive about the technology to be used, for example it suggests: “The pseudonymisation and encryption of data; ability to ensure confidentiality, integrity, availability and resilience of processing; the ability to restore data after an incident; and a process for testing, assessing and evaluating effectiveness of security”. It suggests “state of the art” technology should be used but this leaves important aspects open to debate. Will it be left to the courts to decide if technology used is state of the art? How many ITAM managers would you say the technology they currently use is state of the art? If the question asked is, “Why wasn’t this device and data encrypted?”, not having a record of a device or it’s applications clearly implies the technology was at fault.
Most organizations need to be making decisions now about the technologies they will employ to ensure they close the gaps between their current state and where they need to be to comply with GDPR.
ITAM managers will need to play a crucial role in ensuring their organizations are GDPR compliant. Quite simply it is essential to know what devices are deployed, where they are and what software they can access. Without this information data cannot be protected.
Lots of companies will tell you they don’t have full visibility of their hardware estate let alone what software is installed on them. What about if the company allow their users to bring their own device (BYOD)? The company will need to be controlling the data the users access and download.
Here is a checklist for ITAM managers contributing to GDPR compliance:
- . Having discovery agents on 80% of an estate means 20% are potentially the greatest biggest risk. An agentless scan can be a fast and effective way to fill the gaps in asset knowledge of devices and what software is installed.
- . It is not good enough to know just your soft inventory. Knowing who has access to key software applications and data and who actually uses key applications will enable the tracing of users in the event of a security breach. A large proportion of security breaches are internal, either deliberate or through negligence. Deploying a software usage tracking and analysis tool will identify who is responsible for a data breach and in some cases enable preventative measures.
- . If an encrypted device is mislaid or stolen the information residing on it is protected. A managed encryption service is quick and easy to deploy and provides data security in the event of a security breach.
- . SAM managers keep sensitive information about staff, suppliers and contractual terms. These must be secured as GDPR affects companies and other organizations, not just individuals.
Most if not all organizations will be affected by GDPR and they will either take measures to comply or decide to take the risk that a breach will not occur. The penalties following a breach are significant, so taking a risk is probably not the best course of action. We are already in discussion with several Snow customers and their technical security teams on how the Snow technology platform and data can be pivotal in the GDPR compliance. SAM managers have to play their part in the process. A responsible approach is to raise the issue with the management team if there is a lack of visibility of assets or the software and data that resides on them. By failing to identify gaps that affect data security, SAM managers will be letting down their organizations, colleagues and those that have allowed their data to be used. Senior management can make decisions about the risks only if they are aware of them.