ITAM and GDPR / Data Protection - What are they key issues?

Can anyone share examples of where they have come across GDPR issues in relation to ITAM and what you’ve done about them. Similarly, I would be keen to know if there are any subjects around GDPR that you are curious about.

For example:

  • Data stored in software and hardware registers

  • Data sharing with third parties

  • Data sharing during the audit process

  • Differences in approaches for personal devices

  • Anonymising data and auditor requirements

  • ITAM and Data sovereignty

  • Data stored on devices out of service (e.g. Stock, ITAD etc)
    Etc

Any pointers would be appreciated.

Thanks

Martin

first off, this is me talking for myself, not my employer…
GDPR has become quite an issue, particularly around audits. First we need to understand what is considered personal data; I work on the basis that anything that can identify a user or computer (client or server) that is used by a single user is covered. So thats email addresses, user login IDs, user real names, computer names, IP addresses, MAC addresses etc. Even if any of these are masked individually, that is still very likely to be considered to be personal data. Data that can identify multi user servers is generally not considered personal data.

In general, for service providers, the customer is the data controller, we service providers are data processors and as long as everyone understands the obligations and risks here its pretty manageable.

For audits involving 2 parties (ie Customer and vendor), the situation is a bit more complicated, but again manageable. The vendor can see all data collected, can act as a controller in its own right etc.

Where it can get complicated is in cases with 3rd party auditors. If the auditor will agree to be a processor on the customer’s behalf, this isn’t too bad, but where we see people getting bogged down is where the vendor is the data controller, and auditor is data processor on their behalf. As the vendor will only see the final report, not the collected data, it is pretty much impossible for them to fulfil their obligations under GDPR; particularly around fulfiling data access requests/ privacy notifications etc.

1 Like