EnglishLeider ist der Eintrag nur auf English verfügbar. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.
When you’re involved in IT&SAM in Europe you have probably heard of the new General Data Protection Regulation. In this post, I’d like to shine some light on how this new ruleset affects your job, and how you should adapt to it. When you’re in IT&SAM outside of the EC you will be affected (maybe) less. When you’re in an organization that’s acting global, and in the EC, you must navigate between various regulations that are valid in different parts of the world.
As SAM practitioners may involve internal staff, sometimes hired experts or employees of a SAM service provider, it’s of the highest priority to find out what role you have according the new GDPR. And at times there will be a combination of roles, between data processor and/or data controller.
First you need to know that the regulation started on May 18th of this year (2016) in Europe, and will be effective as of May 25th, 2018. In the meantime, organizations have time to adapt to the new regulation, train people, assign accountable and responsible. Last week I read that it was to be expected that between 26.00 and 74.000 new Data Protection Officers will need to be added in organizations, in the years to come.
As IT&Software Asset manager you’re using lots of data sources. Incorporated in some of these sources is personal information and other data that is subject to the new GDPR. And it doesn’t matter anymore if your part of the data controlling organization or a service provider, or any other function. If you’re handling GDPR affected data, you need to comply!
One of the things I’m wondering about is how the GDPR will affect the possibility to check named license models, as part of the data to be checked is now under even more strict ruling. If you want more information on this I can recommend the audit monitor training of In2SAM (soon you’ll see the online version in collaboration with ITAMReview) where a central part is on this subject.
A few hints on the new GDPR:
The GDPR applies to all companies worldwide that process personal data of European Union Citizens. This means that when you’re handling personal data (according the European standard) of European citizen’s you must act according the new regulation. And since license, Software and IT Asset managers and administrators are handling often data about the usage of software connected to usernames that in most situations can be related to natural persons, you are affected by this new regulation. Since the fines for not following regulation can be exorbitant high for misconducting organizations you must take notice of the GDPR and act accordingly.
The GDPR widens the definition of personal data. That means that the harshest local laws are met in this regulation and with that there’s more added to the topic of personal data. However, there’s more than one category of personal data;
- Personal Data
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. {Art.4(1)}
- Sensitive Personal Data
“Sensitive Personal Data” are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence). {Rec.10, 34, 35, 51; Art.9(1)}
- Data relating to criminal offences
Data relating to criminal offences and convictions may only be processed by national authorities. National law may provide derogations, subject to suitable safeguards. A comprehensive register of criminal offences may only be kept by the responsible national authority. {Rec. 19, 50, 73, 80, 91, 97; Art.10} {in Denmark this data is noted as semi-sensitive}
- Anonymous data
The GDPR does not apply to data that are rendered anonymous in such a way that individuals cannot be identified from the data. {Rec.26}
- pseudonymous data
Pseudonymous data are still treated as personal data because they enable the identification of indiv
iduals (albeit via a key). However, if the “key” that enables re‑identification of individuals is kept separate and secure, the risks associated with pseudonymous data are likely to be lower, and so the levels of protection required for those data are likely to be lower. {Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)}
- Data concerning health
“Data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. It expressly covers both physical and mental health. {Rec. 35, 53-54; Art.4(15)}
Prove the validity of a consent for using personal information. When you want to make use of personal information you’re obliged to show that you have consent from the person that the information concerns. And you must make sure that you can show that this person fully understands where he or she gave consent for. In other words, you need to have simple explanations ready on how you’re going to gather data, where it will be used for and how long and where it will be stored. So finally, the good IT&SAM expert who’s able to translate complicated contracts to simple wordings will be able to communicate why the organization needs all this data containing personal information of the employees.
The GDPR introduces mandatory Privacy Impact Assessments (PIA’s). Under the influence of the UK’s Information Commissioner’s office the PIA’s where included in the GDPR. 
The GDPR requires data controllers to conduct PIA’s where privacy risks are higher than normal to minimize risks to the data subjects. So, that means that even before a new project starts a personal information assessment is necessary and closely work with the DPO for that project (and almost every IT&SAM project requires data that is either personal or tends to be)
The GDPR introduces a common data breach notification requirement. This is a very restrictive enforceable data handling principle, as the GDPR harmonizes most data breach notification laws we know in Europe. It aims to constant monitoring for possible breaches by all organizations. Any data breach must be notified within 72 hours of discovery. Therefore, you’ll need technology and processes in place to detect and respond. (think of internal employee training, assess the security policies). Every IT&SAM specialist needs to be aware of the risks connected to his data and how to mitigate them.
The GDPR introduces the right to be forgotten. One of the distinct principles that GDPR introduces is a very restrictive, enforceable data handling. For example, the data minimisation principle, that pushes organizations to hold data for no longer than necessary. It also may not change the purpose of the data for what it was originally collected. At Any Time, the data must be deleted at the request of the data subject. So, getting one consent for gathering data and then alter the purpose or the type of collection is not allowed. So, if you’re running a discovery system you’ll need to rethink a very broad and solid purpose for collection of data and get consent from every individual first!
Privacy by design. This means that systems and processes must be designed with privacy rules and data protection rules taken into consideration. There must be a possibility to erase personal data from a process/system when requested. This will be a rule for software & processes in the future. So, if that isn’t foreseen in the current version, alterations are necessary to comply with the principles of data protection!
One stop shop introduction. Until recently Ireland was a safe haven for lots of IT organizations because of the easier follow up on data protection rules. The GDPR now will act towards any organization anywhere in the world. So, when you look at software publisher audits, the dispute on where problems regarding the request for data were to be settled in a court already stated in the contract, there’s now an easier way.
The GDPR expands the liability beyond the data controllers
In the past only data controllers were responsible for data processing activities. The GDPR extends liability to all organizations that handle, process or even touch personal data. This is very well the fact for service providers, but also software auditors (and the software publishers) must deal with this new GDPR.
All above has a certain impact on the way the IT&SAM specialist should do his or her work. You’ll need to rethink your strategy and activities if the data you’re handling is under the effect of the GDPR. If so you need to look at policies, technology and processes to make sure that data breaches can be avoided. And for my UK colleagues: Britain has decided to adopt the GDPR (even after an eventual Brexit) so we need to work out Best Practices together. This is also a fact for our other non-EU colleagues working at global organizations with EU branches or BU’s. But hey, we’re already able to understand the metrics and logic of license models, we will bridge this obstacle with the ingenuity we’re known for!