Reporting for GDPR compliance: do you know everything you have?

In this series of articles, Darron Gibbard of Qualys goes through the reporting processes that companies will have to adopt to keep compliant with GDPR. In this piece, he looks at the first building block for success: accurate records on your IT assets.

GDPR has been in force for several months. However, it’s important to bear in mind that GDPR is not something that can ever be called “done.” For security and data privacy teams, keeping processes compliant will be “business as usual” for the foreseeable future. To help this effort, there are some simple reports you should run regularly to demonstrate your compliance efforts are keeping you where you want to be.

This first example is IT asset inventory.  This report provides an overview of all the places where customer data may be physically stored, from central applications through to copies on individual endpoint devices. Without this list, it is difficult for compliance teams to map where data covered by GDPR might be stored. Alongside this list of assets should be a list of who is responsible for them within the organisation.

However, this list will not be static. Any IT asset inventory will have to be continually updated with new devices or staff members added over time. Similarly, data handling processes may change as new applications get implemented or new services are used to store customer records.

You should therefore review your operational processes for how data is handled on a regular basis. This report covers how you manage EU residents’ personal data against loss, unauthorised access or disclosure, and how you keep those management processes up to date over time.

An IT asset inventory report will help you understand how well your IT security and data protection processes are performing, as well as how you track these assets over time. This involves checking your existing IT assets and how up to date and secure they are. By checking that your IT software and hardware assets are up to date, you can demonstrate that you are taking customer data security seriously.

Your initial IT inventory will change over time as new devices get bought, software gets updated, and older PCs are scrapped. By continuously tracking any changes in the IT inventory, you can make compliance around data privacy assessments easier.

This reporting serves two functions: first, it flags any potential vulnerabilities in your list of IT assets so they can be fixed quickly. This helps you improve your approach to security and reduces the risk from hackers or malware.

Secondly, keeping this list up to date provides a record of the practical steps that you are taking around security. This will help in the event of any data breach or security issue, particularly as a serious breach may have to be investigated by the ICO.

GDPR covers the security and privacy of customer data. Keeping this data protected involves knowing where those files exist and that those assets involved are secure. Having an accurate list of all your IT assets is an essential building block for demonstrating compliance over time, as well as showing that you have full control over your customer records and your processes around this data.



By Darron Gibbard, Managing Director EMEA North, Qualys

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.