GDPR and IT Service Management – looking at data and service together

null

The European General Data Protection Regulation has been looming over IT teams for years. Responsibility for GDPR has often been handed to IT security teams to manage because data breaches make up such an essential part of the regulations.

However, other departments will have their own roles and responsibilities to play around meeting GDPR requirements too. Helpdesk and IT service desk teams should be included here as these teams can often hold valuable personal data on customers’ preferences, so they need to be considered as part of any GDPR compliance programme. 

Making sure your service data is included 

GDPR aims to make data as valuable to a company as it is to the individuals concerned. By ascribing a monetary value to customer records, GDPR should encourage all organisations to invest in how they handle data for security and privacy.   

For service desk and helpdesk teams, all records covering customer interactions could fall under the definition of “personal data.” Details like name, address, age and previous purchase history would have to be gathered for many companies, while some may hold data defined as sensitive by GDPR as well. For example, any processing of data that would link someone’s identity to their political, religious, gender or ethnic background is specifically prohibited under Article 9 without explicit consent or a strong public interest reason.   

Most helpdesks won’t hold such specific information on customers – however, this is a good opportunity to use GDPR as a way to justify any customer data that you do hold. Mapping any personal data stored by the company is therefore an essential starting point for compliance. As part of this, you can assess what personal data is currently held within your service desk application as well as elsewhere within the business, whether there is a legitimate business purpose for its collection, and how it is both protected and retained over time. 

How GDPR will affect ITSM teams – processes to take around customer data

Once this data audit has been completed, it is time to look at how this data is managed over time. This will include checking that appropriate data management and security processes are in place. For service desk and helpdesk teams using their own approaches or internal software to manage customer data, any system would have to have encryption and access management technologies added around them. For teams using external services to host customer data with external providers or in the cloud, checking that these same security and privacy mechanisms are in place should also be considered. 

For cloud services, physical location of data can be an important item to check as well. Article 44 of GDPR restricts data transferral between organisations to those that are based in specific countries that meet the same criteria for security and privacy controls around individuals’ data. Asking where data is stored in the cloud should help you prove that your approach is compliant with this mandatory requirement. 

How GDPR can add more workload around customer data management

Another area where GDPR can put more work on service desk and helpdesk teams is around the rights of data subjects. Under Articles 12 to 23 of GDPR, each individual can ask for copies of all records that refer to them, as well as for those records to be rectified or for them to be not used in the future. Individuals also have the right to be forgotten, where all data on them has to be deleted if they are no longer using a service and there is no legitimate reason for that data to be kept. 

For customer service teams, these requests may come from customers directly or be part of wider GDPR record management requests. Either way, collecting and providing these records may be an additional overhead to consider. 

Lastly, all service desk and helpdesk teams will have to complete their own records on their processes around handling and managing customer data in the future. Under Article 30, it is mandatory for helpdesks to provide proof that teams have put together their own documentation and are following those processes. Companies also have to carry out Data Protection Impact Assessments (DPIAs) that help them understand the potential impacts on customer privacy and meet their requirements. Gathering all this material together will be essential to demonstrate that a Privacy By Design approach is in place. 

How GDPR can be used over time to increase customer focus 

There are many more rules and requirements in place around data privacy for customers. However, these elements are not designed to prevent companies from carrying out their day-to-day activities. Instead, they aim to help companies manage customer data effectively and with the best interests of those customers in mind. 

For service desk and helpdesk teams, this should be second nature already – after all, they are designed to help customers from the start. However, this emphasis on valuing customer data and security can help improve processes overall. 

New customer support channels – from online live chat through to new chatbots powered by AI or accessed via voice assistants – can be added alongside more traditional channels. Each of these channels will depend on the quality of data being stored centrally and used for analysis. Making it clear that customer data is used in this way to improve services should be part of any first interaction. 

This element of analytics should be included in consent requests, as all activities around customer data have to be made clear to consumers. For business-to-business organisations or public sector bodies, other justifications for this processing of customer data may be equally valid, but many companies may find it easier to get upfront, clear and informed consent for processing customer data.

GDPR is the most recent revision to directives around data privacy and security. These regulations will themselves be updated to keep up with changes in technology, in processes and in how people expect businesses to behave around their data. GDPR has made a difference already to how data is perceived, due to the potential fines that can be levied on non-compliant businesses.   

GDPR is a start for many more initiatives towards privacy and security of data. For service desk and helpdesk teams involved with customer data every day, these elements will affect how service is delivered and tracked over time. However, these processes should not be seen as blocking teams from delivering good service; indeed, delivering quality service and customer value should go hand-in-hand with the increased emphasis on protecting individuals’ rights to privacy, security and protection around their data. 

Simon Johnson, General Manager UKI at Freshworks 

Image Credit: Wright Studio / Shutterstock