GDPR: has your service desk covered everything?
Although GDPR has finally arrived, the fallout may take some time to be felt. So the question is this: has your service desk checked all the GDPR boxes?
Although the new EU General Data Protection Regulation (GDPR) has now become a reality, failure to comply may not be obvious until a much later date - potentially at the point when fines are issued. Just because the deadline has passed, don't assume GDPR is 'over'. In fact, this is just the start of a new body of rules that will change the way your service desk deals with data forever.
Your final checklist starts with taking responsibility. Just because you have a security/compliance team, don’t assume they have covered off all of GDPR.
Key elements to check
Very broadly, GDPR is designed to protect personal data. The service desk, it goes without saying, holds a lot of personal data. Therefore you need to think about two elements:
1) What personal data do you hold relating to customers - internal and external?
2) How do you use this data?
In terms of point 1), be thorough. It’s not just referring to addresses and personal phone numbers held by the service desk. You may hold data related to employees previous employees or personal devices owned. This is especially critical to examine in cases where there is a crossover between the service desk and other business functions such as HR. Don’t assume these data sources are ring-fenced, you must check how they integrate.
Crucially on point 2), you must be able to prove the process governing customer information and what happens to this data once you capture it. This is the aspect of GDPR which is most often discussed and largely well-understood now. However - and it’s important to repeat this advice - don’t be complacent and assume someone else is handling this. Make sure you have conducted your own checks and if in doubt, seek professional advice.
However, there is another important factor involving GDPR that could have been neglected so far.
Data and software
It’s natural that service desk managers think of their service desk or ITSM software in the context of GDPR. But IT estates are much bigger than the service desk. Every business relies on multiple systems to manage daily operations. Each of these systems stores varying amounts of data in varying ways.
Assessing the data held and the process surrounding it is not a huge problem. The problem is often identifying what software, systems and data are used by the business. The tech ‘sprawl’ of the average business is now great. Don’t assume that just because a system is used by another department, the service desk is immune. If your service desk has some integration, it may share data sources.
The way to solve this is rigorous asset management. It may entail going back to one of the basic tenets of ITIL but asset management is critical to ensure GDPR processes are robust. Service desks commonly struggle with assets because either their service desk doesn’t support asset management or it is an expensive module or add-on that doesn’t easily integrate with the core service desk.
Richmond ServiceDesk customers are at an advantage because asset management is built into the core product - there’s no need for an extra module or customisation.
If you are concerned about asset management and want some impartial advice on this topic or service desk GDPR, please get in touch.