ITSM

GDPR and Data Security in ITSM

April 2, 2018

GDPR and Data Security in ITSM

In under two months, the EU’s General Data Protection Regulation (GDPR) will be enforceable. Naturally, discussion and compliance concern has increased across technology and business as the deadline approaches, and rightfully so. Laws around data protection are tightening in Europe, so organizations will bear more responsibility for personal data security, and it’s not far-fetched to imagine similar regulations for the rest of the world in the near future. Personal data is a huge part of creating maximum employee and customer service through ITSM, so it’s a good time to start asking questions about data compliance and protection within your organization.

First, it’s important to recognize that while GDPR will only officially protect personal data of people from the EU, organizations throughout the world obviously want their employees to feel comfortable about how their personal data is used, shared, and protected — whether legally obligated or not. For the modern organization, that ties directly to service management, which tracks the services, devices, applications, and business tools they use. Today’s service management platform leverages all that data to automate services and provide personalized, efficient service resources to help employees do their jobs. This data is the lynchpin to employee service strategy, so employers need to treat it with extreme care.

Today’s employees, whether from the EU or not, will have concerns about how employers use this data. Here are some things to keep in mind when evaluating your ITSM platform for data protection:

Controller vs Processor

In a B2B relationship (in this case, an organization and its ITSM vendor), GDPR defines two roles in data protection: controllers and processors. Controllers essentially “own” the personal data, and processors enable the controllers to do something with that data.

In the case of ITSM, the organization is the controller. In other words, it collects and “owns” employee data. The ITSM vendor is the processor, enabling the organization to use that data to better resolve incidents, fulfill service requests, rollout changes, manage assets, etc.

As a processor, your ITSM vendor is responsible for assisting you as you satisfy employee demands about their personal data. If an employee doesn’t want certain information or activity logged into, say, Samanage, then Samanage will make that request possible.

Compliance Certifications

There is no single certification that covers GDPR entirely, but there are certifications and protocols that help processors meet GDPR requirements.

  1. ISO27001 is the best standard for an information security management system (ISMS). This certification is an acknowledgement of an organization’s ability to keep data assets secure, which includes financial information, intellectual property, and employee personal details — all of which can apply in ITSM.  
  2. SOC 2 compliance recognizes that security and processing integrity at a service organization are up to the standard set by the AICPA.
  3. US-EU and Swiss Privacy Shield compliance acknowledges that a third party meets data protection requirements when transferring personal data from the European Union to the United States.

These frameworks, certifications, and best practices will not only help organizations remain GDPR compliant, but they’ll help guarantee that their employees’ personal data is used responsibly. You should ask your ITSM vendor what certifications or credentials it possesses to ensure personal data is safe.

*Samanage has been fully compliant with all of these certifications for three years.

Data Security For Everyone

What if an employee is a citizen of the United States, but works in Germany? What if an Italian citizen works in China? Are these individuals protected under the GDPR regulations?

There are countless scenarios and legal answers to all of them, but for ITSM vendors, the simpler solution is to treat all customers (and their users) to maximum data protection in compliance with GDPR. Any protection that a employee service platform is required to provide according to GDPR can be provided to any individual user.

Samanage currently maintains all certifications currently available for GDPR compliance. As the regulation evolves, we will continue to take any and all necessary measures to maintain compliance. For more on Samanage data protection and data security regulations, click here, or contact trust@samanage.com.

New Call-to-action hbspt.cta.load(41925, ‘7e589eb8-ead8-4ceb-ac0f-946a7b97b1aa’, {});


Danielle is the Senior Director, Marketing, ITSM at SolarWinds. She has wide-ranging experience in content production, social media marketing, public relations, and brand messaging. Her happy place is sitting by the lake with a cold beverage in hand, with the occasional water ski session.