When I first heard about the GDPR I naively thought it would rid me of a lot of unwanted PPI calls. To some extent it has but it has simply replaced it with a fountain of consent emails I am now simply ignoring. My inbox is looking healthier, but I can’t help feeling that the real intent of the regulation has been lost on the people that really need to change.
So I wanted to share my thoughts on what any ServiceNow owner should be thinking about to ensure they aren’t the reason the ICO comes knocking on your door.
ServiceNow will have Personal Data (PD) within it, although the exact amount will vary. You are therefore responsible for how that data is used and secured. And because ServiceNow is incredibly capable at being the system of action and integrating with other systems what you have is the GDPR equivalent of a leaky bucket where you can easily move that personal data somewhere else. All it would take is for someone to create a simple notification that goes outside the EU that sends out personal information for you to be thinking about talking to your Data Protection Officer (DPO). Or a new REST API that….. you get the idea.
So short of stopping all development on the platform what should you do? One approach is to use the quality controls you already have in place as part of your SDLC. If you can anticipate the challenge at the requirements stage then the required safeguards and security measures can be baked in.
Defence in depth is always a good idea so you need to catch these things during code review too, or better yet educate the developers, so they question what they build in the ways the regulation expects… do I really need their passport number in this holiday approval email?
There are technical solutions to find personal data and track it but those are best placed at catching mistakes that have already happened because they can’t find data that isn’t there.
As Nelson Mandela once said “Education is the most powerful weapon which you can use to change the world” So go and ask your team what they are doing every day to look after personal data? If they shake their head get them educated on what GDPR is all about. We all have a legitimate interest in getting this right. (I couldn’t resist at least one pun…)