Phone
SecOps

GDPR Through ServiceNow’s GRC

ServiceNow's GRC with new GDPR

Have you been getting a lot of emails around Privacy updates from your software vendors and the major social media companies that you’re subscribed to?

With the European Union’s General Data Protection Regulation (GDPR) going live today, you should expect at least a few more in your inbox.

Due to heightened public concerns around the handling of data by many companies, multiple countries have determined that there is a pressing need to institute policies regulating data concerns. In response, the EU introduced the GDPR law, which was passed and ratified in April 2016.

So, why should the rest of us care, if we live in the United States, Australia, Singapore, or any number of countries that aren’t in the EU?  How does this affect us? To answer that, we’ll have to explore the following questions

  • What is GDPR? Why does it exist?
  • When does it come into effect?
  • How does it affect me and my company?

And, since we are a ServiceNow consultancy, we, of course, wanted to explore what it ultimately means for our business (and our clients), so we explored two additional questions:

  • What is ServiceNow’s GRC doing with GDPR?
  • What can Acorio and ServiceNow do to help?

Breaking Down GDPR

GDPR, as written and approved by the EU, encompasses any company that handles the data of one or more citizens of the EU.  This law, therefore, affects almost all but the smallest and isolated of companies.  Among the new rules are 181 mandates not included in any other ‘Authority Documents,’ such as DPIA, NIST, COBIT, ISO, etcetera.

The regulations were announced roughly two years ago, but companies have been slow to enact them.  These regulations will officially come into effect on May 25th, 2018 – not May 18th, as reported in some outlets – and are likely to cause several companies strife due to delayed action from competing priorities and complexities in the law.

At the highest level, GDPR introduces common standard obligations pertaining to any organization that handles data about EU citizens, whether that company is in the EU or not. As the first of its kind, this ‘one-stop shop’ regulation concept introduces the following requirements and complexities:

  • Introduces a common data breach 72-hour notification requirement.
  • Mandatory (in most cases) appointment of a Data Protection Officer (DPO).
  • Mandatory Data Protection or Privacy Impact Assessments (DPIA’s).
  • Privacy implemented in both systems and processes by design
  • Liability for all organizations that handle personal data, both analog and digital assets.

So What About Me (and ServiceNow)?

The juncture between need and actualization of GDPR requirements is where ServiceNow and Acorio can help.  ServiceNow provides a SaaS (Software as a Service) product that provides tools and solutions for the policies, controls, and risks associated with GDPR.

“We knew we had the opportunity with this platform to make our audit life much easier with automated controls and better reporting.” – Bart Murphy, CIO CareWorks tweet

The ServiceNow Governance, Risk, and Compliance (GRC) suite is comprised of applications geared toward enabling proper governance in an organization via Policy Statements (Picture 1), Controls, Authority Documents (Picture 2), Risk Management, Audit Engagement, and other facets. The Authority Documents may be pulled in from any data repositories, and ‘out of the box,’ there is a ServiceNow plugin for the Unified Compliance Framework (UCF) repository.

ServiceNow GRC

Picture 1: Example Policy Statement and corresponding auto-loaded information from UCF

ServiceNow GRC Authority Documents

Picture 2: Authority Documents (e.g. COBIT, ISO, and NIST) pulled in from Unified Compliance Framework

Combined with other products on the ServiceNow platform, GRC transforms inefficient processes across your entire organization, creating a unified GRC program. This unification facilitates continuous monitoring, prioritization, and automation allowing you and your business to respond to risks in real time.

Talk to Expert

Continue Reading