ITSM & GDPR - Is Your Business Ready?

Written by

All companies which use IT Service Management (ITSM), whether controlled internally or outsourced to third party processors, will be bound by a new set of data protection regulations, the General European Data Protection Regulations (GDPR), which comes into effect on 25 May 2018.

The new law enforces even stricter rules than the existing Data Protection Act for storing and transferring EU citizens’ personal data.

GDPR will have direct impact on ITSM users once it comes into force, of which you now have less than one year to prepare. However it’s not quite the quick fix that many ITSM users and suppliers are hoping for. Start now, and you may be compliant just in time; start later at your own peril, as all organizations will also be required to prove compliance and provide all the necessary documentation or risk significant fines.

One of the main changes of GDPR to ITSM users is that their suppliers will now be jointly liable for any data breach. This means that all businesses handling personal data will need to overhaul their policies, processes and procedures, including ITSM, to prepare for GDPR before it comes into effect.

Impact of GDPR on ITSM

All organizations using ITSM will need to provide specific awareness, education and training for all data handlers as a starting point. This is a highly-complex and timely process, affecting hundreds if not thousands of staff depending on the size of the organization, and needs to address all possible incidents that may contain sensitive data by safeguarding processes and risk assessments.

It gets further complicated for organizations using free format text fields, as they will now be required to provide extra training and support for their service desks so they can properly examine the input of data and scrub any personal or sensitive data. This will be a laborious manual process.

ITSM users will also need to have a transparent policy for request management, a policy on the collection of personal data that is held in Incident and Change Management, as well as carrying out regular performance surveys which under the new regulation will require explicit consent from the users who will be chosen.

In addition, explicit consent will be required from users who are likely to raise incidents or authorize or implement changes, with very careful consideration going into the process of what can be entered into the free text fields.

Furthermore, there will also be significant impact on the ownership of IT assets in configuration and asset management, as asset owner’s name, job title and email address are all present in both of these modules.

Data Compliance for ITSM

ITSM contains lots of personal data, thus requiring many adjustments for GDPR compliance. Any data, changes and requests that can identify a natural living person is affected by the upcoming legislation, and as extraction tools and Integrations are very common with core ITSM applications, currently very little thought is given about data privacy. GDPR will expose this functionality.


As mentioned, there will be hefty fines for any data breaches, and now the legal recourse for breaches includes both processors and third-party suppliers. A lot of ITSM tools are cloud based, so non-compliance can also affect cloud computing and storage suppliers, which adds increased layers of complexity. Besides the potential fines, the adverse publicity and reputation of the brand will likely be affected, losing the trust of customers, suppliers and even employees.

Ultimately, ITSM and how it integrates across all organizations needs to be focused 100% on privacy by design and default going forward.


Once GDPR comes into place, personal data can only be able to be gathered legally under strict conditions; not only will the regulations require persons or organizations which collect and manage personal information to ensure the protection of the data from misuse, but to also respect the rights of the data owners which are guaranteed by the EU law.

GDPR will likely affect ITSM users in the following ways:

Increased Territorial Scope

Any business outside EU collecting personal data about EU Citizens is now in scope

Tougher Sanctions

€10M or up to 2% of Global Turnover. €20M or up to 4% Turnover for serious breaches

Wider Data Scope

Online identifiers, genetic and biometric data

Wider Supplier Scope 

Data Controllers and processors will be under scrutiny. Joint Liability

Data Breach Notification

Mandatory to report certain data breaches to the supervisory authority without undue delay or within 72 Hours

More Individual Rights 

Rights to rectification, rights to be forgotten, subject access requests, automated processing and profiling, right to object, right to data portability

Mandatory appointment of Data Protection Officer

Public Bodies, processing special categories of data, large scale systematic monitoring of public areas

Consent and Lawful Processing

More stringent principles for consent and lawful processing

International Transfers

More stringent scope

Accountability and Governance

Mandatory documented evidence of compliance

Subject Access Requests

Non-Chargeable and 30 day limit on response


Some large corporations have already begun their journey to compliance, mainly focusing on their HR and marketing databases, however there has been little or no focus to the ITSM toolsets.

While GDPR brings many wholesale changes to the way data is used, ITSM has its own niche issues that businesses can’t approach as an afterthought. With only one year to go, ITSM users and suppliers need to take ownership for change now, otherwise risk the considerable fine if non-compliant.

What’s hot on Infosecurity Magazine?