by Sunil Mohal, SAS Management Inc
When an organization operates a centralized point of engagement with its customers, we typically refer to that point as a Service Desk, a Call Centre or a Contact Centre. Quite often these terms are casually interchanged. From a Service Management perspective, the Service Desk “is the primary point of contact between users and an IT Organization”. For purposes of this brief article we will refer to all such contact points as the “Service Desk”.
To start with you need to understand the key terms:
- Data Controller – The person(s) responsible for deciding what needs to be processed and why. (Article 4(7) GDPR)
- Data Processor – The person(s) responsible for processing the data in accordance to the data controllers’ instructions. (Article 4(8) GDPR)
- Data Subjects – The individual(s) to whom the data being processed relates.(Article 4(1) GDPR)
Typically, the inbound Service Desk is one where customers dial in / seek clarification with regards to products or services etc. The Outbound Service Desk would be operated for market research, telemarketing, solicitation, debt collection or a myriad other such functions. The common point is very evident in that personal data is extensively processed across all call centers.
The GDPR definitions are wide ranging. Data processing can be defined as “Any operation or set of operations which is performed on personal data or on sets of personal data”, whether or not by automated means including, but not limited to:
- Collection
- Recording
- Organisation
- Storage
- Adaptation or alteration
- Disclosure by transmission
- Dissemination or otherwise making available
- Combination
- Restriction
- Erasure or destruction (Article 4(2) GDPR)
Effectively as soon as the information hits your Service management tool it is deemed to have been processed. When you perform any activity based on that data further processing has taken place. Note that the processing can be manual; so even making a phone call based on information recorded, such as the contacts phone number and subsequently updating the ticket counts as processing.
The handling of personal data is not without its risks. In service desks where the very business revolves around the handling and processing of data, the threat of Data Breach is very high. “The number one greatest cyber threat to a business is their very own employees,” said Darren Guccione, CEO and cofounder of Keeper Security, Inc. Some of the findings Keeper Security and the Ponemon Institute 2017 report are as follows:
- Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, with 54% of IT professionals reporting that careless workers were the root cause of cybersecurity incidents.
- The average cost of a cyber breach due to damage or theft of IT assets and infrastructure now exceeds $1 million.
Now add regulation which penalizes Data breach with very heavy fines, and the risk escalates significantly. With the introduction of GDPR or General Data Protection Regulation, we see such a situation arising. GDPR or Regulation (EU) 2016/679 has been created by the European Parliament and Council to strengthen and unify data privacy for EU data subjects as well as to regulate the international transfer of their data.
The aim of GDPR is to protect all EU data subjects from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 EU Data Protection Directive was first established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies including extra-territorial scope in its provision. To ensure that Service Desks adhere to compliance; several measures need to be undertaken, amongst them being:
- Understand and record what personal data does the service desk use? You are required to record any personal data you process, with what purpose, who you share it with and how you plan to ensure to keep in line with the regulations
- Clarify how does the service desk use this data?
- How do you process this data, and what do you use it for?
- Who can access the data you hold, and have they been trained to understand their obligations under GDPR?
- How do you maintain the data? What checks do you have to ensure it is accurate? How long do you keep it for?
- How will your service desk respond to requests from data subjects?
- Data Protection and Privacy Policies and Procedures need to be reviewed, approved and implemented.
- A Data Privacy Impact Analysis (DPIA) along with an Information Security Assessment to determine risk when the data subject is exposed to significant risk.
- Supplier/Third Party agreements, Non-Disclosure Agreements, Employee Code of Conduct need to have clauses covering GDPR
- Corrective actions to the legal, organizational and IT security processes, documents and controls including Third-party controls to be implemented.
With reference to GDPR, some more specific areas to be covered:
- As a “Processor” have systems to notify any data breach to the controller without undue delay, and within stipulated timelines.
- Appoint a DPO where processing sensitive personal data or undertaking systematic monitoring of data subjects; on a large scale.
- Privacy Notices must be reviewed in reference to Complaint of GDPR breach (Articles 6 & 13). Ensure that PBA’s are in place.
- Information Security Review in reference to Data Breaches & Security (Articles 32-34)
- Contracts to be Reviewed like “Third Party Data Breaches “ (Articles 24-31)
- Customer Processes to be Reviewed in reference to “Complaint of GDPR breach” (Articles 6 & 13) including maintenance of “PBR’s or Privacy Breach Registers”.
An ITSM tool contains lots of personal data, and therefore there are lots of considerations to be addressed for an IT department to be GDPR compliant. Any data, changes and requests relating to an individual, will be affected by the legislation, especially as a result of frequent integrations with other systems and methods of extracting data. GDPR will expose the fact that, currently, very little thought is given to data privacy.
It is essential that all members of the ITSM team, especially the IT Service Desk, are provided with specific awareness, education and training in GDPR and its implication to the way that they handle sensitive personal data and use it as part of their roles. Training to staff on GDPR awareness especially with regards to “Personal Data Rights”; is imperative so that they can take appropriate action if any requests related to personal data come in to an Agent, for example:
- Art 16, (Right to Rectification)
- Art 17 (Right to Erasure)
- Art 18 (Right to Restriction)
- Art 20 (Right to portability)
- Art 19, Recital 66 (Right to be forgotten)
It must be noted if any organization or business anywhere in the world sees a Data Breach it could be liable for enhanced fines for non-compliance upto 20 Million Euro or 4% of global turnover if it deals with data of EU individuals.
For the Service Desk, awareness of GDPR and adherence to it; is a lot of work that has to be done to claim GDPR compliance which is crucial. The organization has to ensure that they understand what data the service desk controls, how they process this data, how they protect the data, what gives them the right to use this data, and how they are going to respond to requests from users. Once it understands all of this, it will need to train all their service desk agents so that they know what they need to do, and are ready to do the right thing to comply with the law or their organization runs the risk of penalties and loss of business and its reputation due to breaches of compliance.
Want to know more?
See Sunil present at Shine18 – the free, online ITSM conference:
