In this article, we are going to continue looking at GDPR. Last time, we reviewed history and the background of the regulation, exploring its origins and need for existence. This time, we’re going to strike up a new kind of conversation, looking specifically at ICT Infra Support.
What is Infra Support?
When I say Infra, I mean the business vertical of professional services. I am not referring to manufacturing or OEM of hardware. In this case, Infra refers to maintenance and support businesses, as well as help desk and end user support services. Occasionally, these are referred to as manage service providers.
With Infra support, you buy a service and have someone maintain or fix the computer on your behalf.
Infra Support Background
Most companies have someone today trusted with Infra needs. Smaller companies might use the Pekka next door who has some free time here and there. Other companies build out internal IT departments, while others opt to outsource into the gig economy. The problem is that most users don’t know how to use the system or fix it if it’s broken.
What do you do when something happens? You probably call an IT department and rely on their support. The person who answers the phone writes down the information for invoicing and tracking purposes. In ITIL, they may refer back to CMDB. The information collected is actually telecom identification information: Who called, when the call was made, from which number it came, duration, etc.
Now, imagine a case where your phone log’s are published to the telecom provider you work with. It would be a disaster. Why are the users not interested when it’s read to public? Did you know this?
With ICT Infra Support, the vendor side is now considering this matter. If you have any ideas by the end of the article, please share them in the comments below.
Did you know this? Do you know how the information might end up in an invoice or public report that has been displayed to multiple people?
What is the Data Subject?
Whereas I already discussed the rights of data subject, I will now be looking at the actual data side of the subject in my next article.
The short answer is that the data subject is YOU and me. GDPR ideology says that the information should be transparent. In many cases, it is, enabling you to browse your tickets and track who did what with them. Someone else in this case is accessing the data again. In my opinion, there should be a visible statement in the vendor agreement stating who is permitted to view the ticket. If this is not the case with your current vendor, I recommend you ask for it.
If we look at it from a CMBD side, if the machine is registered to a certain user, and the tickets are assigned to that machine, how can you just delete the name of the user? The ticket would end up orphaned.
Finally, this is also a matter of reporting. One of my good friends runs reports for the management of a vendor company. I interviewed him on his experiences, and after one hour, he made the conclusion: “Now that you say – I think I need to take this to our coffee table conversation.” In my opinion, even highly-skilled professionals don’t always comply when they should.
Next time, if you are a report user, try and really observe the details. Usually these reporting systems are made so that you can actually organize the data, enabling you to select what you want to see. If you start seeing ticket owners or machine IDs, reflect on it. Are you breaking someone’s right to be anonymous? How anonymous is it to say that a certain person had malware of their workstation because he viewed pages he wasn’t supposed to at his desk.
I could go on for decades. I would love to hear opinions for the ICT Infra business vendors below. What subjects have you found important in your business? Are mobile devices concerning, or is it BYOD that makes it hard to be GDPR compliant?
There are alternatives we should consider, like the decrypting of data and access control. First, I thought I should point out how important it is to secure your storage, for example using bitlocker and master passwords. After mulling over the topic, I realize I do not have a solution on how to be compliant with this infrastructure. With access control, there is also no solution. It might be tempting after several reboots to leave the password in the site. You might just have to give some external person access to the data. That’s not a viable option. If you have any good ideas, I am open to listening!
Refer to www.techprivacy.com for more information. I have found it incredibly useful, and I hope that you do.
Next article will be published Tuesday 20 th of February – Stick around for my next installment in the GDPR series: GDPR in Business (Softa)!