By Ben Eagling
Now that 2018 is here, the countdown to May 25th—the looming enforcement date of the European Union’s (EU) General Data Protection Regulation (GDPR)—doesn’t seem so far away.
Designed to address lapsed areas within the current data protection and security rules relating to the personal data of individuals including names, addresses, phone numbers, account numbers, email and IP addresses, GDPR is dubbed as one of the biggest shake ups to data management.
This new legislation forces any company that holds personal information on EU residents to be fully prepared at all times to respond promptly and comprehensively to any subject access request (SAR) from an individual relating to their data. To prepare, businesses should carefully consider how and where they store data, who is able to access it, and how they are working to protect it from data breaches. Failure to follow any of these basic principles could result in a hefty fine of up to 20 million Euros or four percent of the business’ global annual turnover, whichever is greater.
The Complexities of Preparing for GDPR
Most GDPR preparation guides rightfully touch on server security, software security, and storage security. But what about the role of IT Asset Management (ITAM) in the GDPR update process?
To establish complete data protection compliance in line with GDPR rules, organizations must account for every element within their IT network—ensuring no device, program, software, or user is left undetected.
This process is no easy task for even the most experienced and technically minded staff, particularly considering the surging infiltration of modern digital technologies—Internet of Things (IoT) devices, cloud, tablets, and mobile devices to name a few—into the professional IT estate. While these trends encourage agile and streamlined workflows, the by-product is often a blurred and complicated IT environment where many lack full visibility of their hardware estate let alone what software is installed on them. To make matters more complex, should the company allow employees to bring their own device (BYOD) to work, then visibility of those individual devices and the data they hold is restricted.
In their preparations for GDPR, IT departments and ITAM managers need visibility and control of the organization’s entire IT environment. It is impossible to protect and encrypt what you do not know you have. And this is where Software Asset Management (SAM) comes into play.
Once assets are fully uncovered, licenses tracked, and usage statistics calculated, organizations have a solid foundation for building their GDPR compliance.
Device discovery is the act of tracking IT assets deployed across the network. Delivering a full hardware and software asset inventory is step one in an organization’s SAM journey, but it’s also a major first step on the journey toward GDPR compliance. IT departments will have a set of achievements or must haves when choosing its discovery tool(s), and if mitigating the likelihood of a GDPR breach of non-discovered devices is top of the list, device discovery becomes a valuable, dual-purpose practice.
A spotlight on software is also important. Having a mature SAM program makes it possible to monitor the software each user can access and address whether personal data is necessary for their tasks. This includes both traditional software inventory, or software defined by installation, as well as user-based and subscription software, which is more common now due to BYOD. An audit highlights all devices and key applications being used, making it possible to quickly analyze data and pinpoint potential vulnerabilities. In terms of SAM, users with both direct and indirect access pose a threat to breaking the terms of a licensing agreement, and this can also be the case for GDPR security.
Data lockdown. If personal data is not necessary for business purposes, it should be deleted. If it is necessary, security measures and encryption should be put in place to restrict access only to those who need it. An easy to deploy solution means that data remains secure, which is the top GDPR priority.
Organizations with an established process for managing the software lifespan and a mature SAM solution are at a huge advantage, but technical measures that protect privacy must be incorporated in the design of the IT system. Consider conducting a Privacy Impact Assessment if your organization stores employee or client personal information to demonstrate compliance and detect any problems with privacy.
Compliance Starts Here
Taking steps to improve data privacy and protection is not an optional add on or bonus feature of business, but rather an essential and active area of GDPR compliance. And ITAM plays a vital part in this practice while also saving valuable time and resource. It is worth bearing in mind that simply establishing a SAM solution is not the be all and end all of GDPR compliance, and that continuous work is needed in order to not only discover the full IT estate, but also to keep it up to date—just like business operations, software licensing needs to evolve and mature.
ITAM is a key enabler on your journey to GDPR compliance providing you with complete visibility and a reliable data source to take to your GDPR specialist.
Ben Eagling is the marketing manager for License Dashboard. He has worked as a marketing professional for nine years, with four years spent in the IT sector. Working closely with software and licensing experts within the company, Eagling produces regular content on SAM tools, services, and market insights.
Feb2018, Software Magazine