Hopefully you are familiar with the IT impacts of the General Data Protection Regulation, more commonly known as GDPR. This new regulation out of the EU, takes effect May 25th 2018, and will permanently impact how data is managed and stored by companies. It has been compared to the Sarbanes-Oxley Act in terms of global impact on business, even on countries not in European Union. Any company that handles GDPR-affected data, not just companies based in the EU, will have to comply with the new GDPR standards for data usage, protection, collection, and management. When I recently attended the largest global ITAM conference (IAITAM ACE) in May, GDPR was at the top of the list of topics discussed; clearly for good reason!
While this change will mean greater data protection for EU citizens, it has companies scrambling to make sure they are compliant before the effective date next spring. The penalties for breaching the new regulations are severe: the maximum fines include fines up to four percent of annual revenue or $20M Euro (whichever is greater). However there is a tiered approach in the penalties—and less serious penalties have lower fines.
The majority of the technological focus for GDPR preparation and transformation has revolved around storage and server security or software security and infrastructure management, as it rightfully should. But what about the role of IT Asset Management and Discovery in the GDPR transformation process? It is a crucial piece of the GDPR puzzle, and should be considered as important as any other step in preparation.
For example, let’s fast forward to 2018 and pretend there has just been a security breach at your company, and the senior management team and GDPR auditors are looking for answers. If you are an asset manager you will be responsible for understanding:
What devices you have
Who has access to these devices
Where they are
What software and applications are installed on them
If they are encrypted
It could lead to a breach in GDPR data protection if you can’t answer questions about this criteria!
You cannot protect and encrypt what you do not know you have
This process starts with comprehensive discovery of hardware and software assets, and the complexities of discovery of software licenses makes this process even more difficult. There are few large enterprise companies today that have 100 percent visibility into their devices used, particularly with the knowledge of who has access to them and what software and applications are installed. The larger the percentage of devices that are not discovered correctly, the greater the risk of a breach of GDPR regulations. HPE Universal Discovery has the option of both agentless, agent-based, or hybrid discovery capabilities to maximize the breadth and depth (particularly around SAM) of asset information available gathered in the most efficient manner desired for your organization.
Once your assets are discovered, using an asset management tool to track usage statistics, licenses, and access ensures that you know who has access to what within your company. This knowledge lays the foundation for the recommendations of the GDPR around data encryption and general protection.