The European Union General Data Protection Regulation (GDPR) will apply from 25 May 2018. That means time is running short for any organisation doing business in or with the EU, and holding or processing personal data of EU citizens to comply with the strict new data privacy laws, even if those organisations themselves are not based in the EU.
GDPR is expected to lay a solid groundwork for a uniform standard of consumer rights regarding their personal data, replacing existing data protection rules. The introduction of harmonised data protection laws is intended to build greater consumer trust in online services.
GDPR and APP Entities
Australian organizations of all sizes may need to take immediate action to make certain that they are capturing, monitoring, storing, and protecting, all personally identifiable information of EU residents in line with GDPR, or risk facing stark penalties for noncompliance. These fines can be anything up to €20 million (approx AU$31 million) or 4 percent of the company's annual global turnover, whichever sum is greater.
Australian businesses covered by the Australian Privacy Act 1988 (APP entities), may still need to comply with the GDPR if they:
- have an establishment in the EU (regardless of whether or not personal data is processed in the EU), or
- do not have an establishment in the EU, but offer products and services or monitor the behaviour of individuals in the EU.
GDPR takes a wide stance on what qualifies as personal identification information - protection of a user’s IP addresses or cookie data is just as necessary as protecting their name and address. Many organisations will have resources stretched as they implement systems and processes to comply, a matter only exacerbated by the ambiguous rules, which are still open to much interpretation. GDPR guidelines, for example, state that companies must provide a “reasonable” level of protection for personal data, but does not explicitly define what constitutes “reasonable.” This leaves GDPR governing bodies with a wide margin for assessment when it comes to issuing fines for noncompliance or data breaches.
Preparation for compliance, then, will no doubt mount a burdening pressure on the shoulders of security teams who will be forced to know their entire IT estate inside out, leaving no device, no user, and no software instance unturned.
How Software Asset Management (SAM) helps GDPR compliance
With digital transformation technologies and trends on the rise - such as cloud computing, shadow IT, mobility, BYOD, and IoT - the lines of the traditional IT environment and network infrastructure have become increasingly blurred. If organisations are in the dark about the software they own, deploy, and use, they will risk falling short of the full protection required, leaving themselves vulnerable to data breaches and security threats. SAM, or Software Asset Management, is designed to help organisations uncover and better understand their IT network.
In the unfortunate event of a company experiencing a major data breach, affecting a large quantity of customer data, the ITAM Manager may be called forward and left facing the following questions to help resolve the issue;
- “How many devices (PCs, laptops, mobiles, tablets, servers) does the organization own?”
- “Where are these devices located, and who has access to them?”
- “What software and applications are installed on which devices and who accesses and uses them?”
Given the vast amount of technology and records held within most organisations today, the average ITAM Manager could be hard pressed to accurately answer all of these questions. This is hardly acceptable as the current data protection laws stand, however, stricter data protection rules via GDPR will add more fuel to the fire, leading to major implications for those responsible for IT and software asset management.
Data cannot be protected if its location is unknown, and that’s why having an awareness of, and understanding the organisation's entire IT estate is a major first step toward its GDPR compliance. SAM will provide visibility of devices, users, and applications; on premises, in the cloud, or mobile. Once devices have been discovered, their data can be fully encrypted against malicious attackers and thieves.
Network Inventory Discovery
The fewer the number of non-discovered devices on a network, the lesser the risk of a GDPR breach. Full asset visibility can be obtained via a full inventory of hardware and software. With this knowledge, preventing and disabling the use of unknown, outdated, suspect, or even malicious applications becomes a straightforward process, ensuring that only authorised devices, software, and users have a place within the IT network.
Who Holds What?
A SAM tool can deliver a real-time snapshot of the IT estate, revealing which employees are accessing which software, applications, and programs,. Creating an additional layer of security enables companies to thoroughly inspect the usage data in the event of a security breach (these are often started internally), and having complete visibility, plus a reliable data source, to take to your GDPR specialist makes SAM a key enabler in compliance. System Clear Out
Personal data relating to business use should only be accessible to those employees who truly need it. Access should be restricted for those who do not.
A mature SAM Solution helps prepare for GDPR
SAM deployment will help to flag any areas lacking in appropriate GDPR security controls creating a clear view of where data is located, who is using it, and how it is being protected. With detailed consideration, the above data and insights can help to inform decision making processes and risk management strategies:
● Do software versions need to be updated?
● Are there devices and applications that are vulnerable to cyber crime?
● Do Software Usage Policies need reviewing?
In the run-up to GDPR, any business dealing with personal data of EU citizens should be taking steps to implement a strategy for compliance. To mitigate the risk of a security breach, there has never been a better time to leverage the advantages of Software Asset Management.
Through introducing discovery and inventory, SAM will aid reinforced security protocols, significantly improving an organisation's data, software, and system protection capabilities, helping to prevent vulnerabilities and risk.
About the Author
Ben has worked as a marketing professional for nine years, with four years spent in the IT sector. Working closely with software and licensing experts within License Dashboard, Ben produces regular content on Software Asset Management tools, services and market insights.