With big changes on the horizon for all industries in terms of data protection and security, David Chamberlain, General Manager, License Dashboard discusses Software Asset Management’s role in complying with the EU’s General Data Protection Regulation
The countdown toward GDPR is on. Friday 25th May marks the enforcement of the EU’s General Data Protection Regulation, and it’s not just IT and Technology sectors that are looking at a complete shift in culture – this will impact every industry, cloud-based or otherwise, that collects, retains, or processes personal data on EU individuals, regardless of physical business location.
In what is being dubbed as the biggest shake-up to the privacy and security landscape, data management will never be the same, with stringent rules on handling personal data, and the subsequent streamlining of its flow inside the European Union
With the threat of fines of up to 4% of a company’s annual revenue, or €20m (whichever is greater) for non-compliance, the mere mention of GDPR has had some companies quaking in their boots. Indeed, the demand for “accountability” and “transparency” has meant that the often neglected responsibilities that many would assume come as standard in data management are under internal scrutiny. That is, companies are scrambling to reach compliance in time.
Choosing SAM as step one in GDPR compliance
Much of the GDPR advice being published is related to infrastructure – technology management, storage, and server security – which fails to address vital issues surrounding IT Asset Management and Discovery.
After 25th May, if a company is found to be in breach of GDPR, as well as dealing with the fine, there will be questions both internally, and from the GDPR auditors around how the company falls short. The IT Department, or rather the CIO, will be held accountable, and will need to be aware of:
– How many IT devices the company uses
– Which users have access to these devices
– All software/apps deployed on these devices
– Whether these devices are encrypted and how
GDPR means that data privacy and security is no longer an optional add-on, nor a “nice-to-have”, but an essential part of businesses processes. In order to answer these demands, IT leaders must invest in broader SAM competency and appropriate solutions and services from internal or third-party providers. Companies that suffer a data breach may not even be aware the source of the breach even existed on their network, but a mature SAM process prevents that scenario >.
You can’t protect what you don’t know you have
IT Asset Management is a key enabler on the journey to GDPR compliance. It offers full visibility of a company’s IT network as well as a reliable data source to present to a GDPR specialist, and as such, the IT department should now be using it to lead the way in developing a resilient data protection strategy.
Tracking IT Assets: Device discovery will provide a complete hardware and software asset inventory across the network. This is a key part of any Software Asset Management process, but crucially, it paves the way toward GDPR compliance. When choosing its Discovery tool, IT departments can ensure that their shortlist takes GDPR into account, meaning their chosen tool will mitigate the likelihood of non-discovered devices.
Monitoring access: A mature SAM programme will account for all software and all user access including traditional software inventory, and software-defined by installation, as well as user-based and subscription software (which is all the more common now due to BYOD). An up-to-date audit will reveal and pinpoint potential vulnerabilities in security, taking into account both direct and indirect access, and address whether any personal data is necessary to complete their tasks.
Locking down data: If the personal data being stored is not necessary for any business purpose, access should be removed, or the data erased altogether. Data encryption and security measures can be put in place if it’s necessary to continue to store the data, meaning only those who truly need access have it. Privacy is confirmed, data is secured, and the number one GDPR priority is met.
Define GDPR policies and procedures by implementing SAM
Software asset management has long been touted as essential in making informed business decisions around IT budgeting and spending within the business as a whole. But the nature of effective SAM means that it exposes flaws in a company’s knowledge of its IT network, highlights potential weak links that could reveal insufficient software licensing, or worse – gaps in security and privacy.
SAM is not a quick-fix, but the processes involved make it dual purpose. And although full GDPR compliance before the 25th May deadline seems like a huge task, having evidence of the efforts made to reach GDPR compliance shows a robust, risk-based approach to data security and privacy.