Smooth sailing to GDPR compliancy with the GDPR4U app

Blog Smooth sailing to GDPR compliancy with the GDPR4U app

Now that the first month of the General Data Protection Regulation being effective is behind us, it is safe to say that being GDPR compliant is easier said than done. Many organizations have achieved a baseline for GDPR compliancy, but still struggle with the complexity and requirements of said regulation. Organizations need to implement a number of key controlling processes that are mandatory by law to demonstrate compliancy.

Since being compliant for a large part boils down to knowing where privacy sensitive data is being handled and stored in an organization, we developed a smart app on the ServiceNow platform which saves a lot of time in the effort to becoming compliant. Our GDPR4U app utilizes a centralized system where you can easily keep track of three key processes. Since an integration is made between the scoped application and the ServiceNow CMDB, significant value is added, as approximately 95% of personal data is generally stored in (business) applications and information systems.

The following key controlling processes are captured in the GDPR scoped application:

  1. An up-to-date Registry of Personal Data Processing – GDPR Article 30

As part of GDPR, organizations are required to keep a complete and accurate overview of all activities in which personal data is being processed. With tens, or even hundreds of applications in an organization, it’s a real challenge to fill and maintain this registry correctly.

For all these activities we offer a means of building and maintaining the metadata-model (i.e. the Registry of Personal Data Processing) with a CMDB integration. The information categories included in the application are based on Article 30, such as data subject types involved, lawful basis, personal data categories, processing types, security measures, sharing with third countries, and so on.

The ServiceNow CMDB plays a crucial role in maintaining a complete and accurate overview of the personal data population. It shows where the data is stored – for the majority part in applications that are or should be registered in this CMDB. By utilizing the CMDB for the GPDR4U app, the app will always present an up-to-date overview of all applications that process, and databases that store personal data.

  1. Complete Data Protection Impact Assessments (DPIA) –  GDPR Article 35

Companies of certain size and/or operating in a certain branche need to appoint a Data Protection Officer (DPO). This DPO, together with product owners, needs to determine whether new and existing products or services (potentially) impact personal identifiable data. In other words: they need to determine the exposure of personal data that is being maintained/processed in the organization. This can be done in a Data Protection Impact Assessment (DPIA).

By means of a ‘quick scan’ (i.e. several screening questions) an initial risk score is determined. Subsequently, when the initial risk score exceeds a certain threshold, a full DPIA including a risk assessment must be performed, based on a (predefined) extended questionnaire. The results are managed centrally in ServiceNow and then are specifically structured for use with the app in a way that makes data useful for a DPIA, for instance during (external) audits.

Since the GDPR4U app directly retrieves all data from the ServiceNow CMDB, this key controlling process provides real added value. Performing and archiving DPIA processes outside of a centralized system will more than likely result in loss of crucial documentation, correspondence and other evidence to prove that the DPIA was executed correctly. Data will become fragmentized, which will make it impossible to fully demonstrate compliancy in case of an (external) audit. In case of an audit, this is a need-to-have.

  1. Report data breaches (GDPR Articles 29/33/34)

When there is a (potential) data breach, this should be assessed by the parties involved and the Data Protection Officer. If a data breach has been determined, this then must be reported to the National Data Protection Authority within 72 hours. The mandatory analysis steps that need to be followed have been pre-configured in the GDPR4U application to ensure that the required actions are taken in the event of a data breach.

Your journey to GDPR compliancy
Getting and remaining GDPR compliant is not an if, but a how. Inspections by regulatory bodies will soon come, and it will be only a matter of time before news will break that the first sizeable fines for lack of GDPR compliacy are handed out by regulatory bodies. One doesn’t have to worry about that if you can prove that you are compliant. As we hope we have shown, proving compliancy is a lot easier when the basics are right. The ServiceNow CMDB is ideally suited to aggregate information on all databases that hold personal data, which is then utilized by the GDPR4U app to provide the three key functionalities that were described in this article. In this way, GDPR compliancy turns into a pleasant journey instead of an exhausting exercise.

Do you have any questions regarding this article or do you want to now more about our GDPR4U app, please contact Carel Jansen, GRC Platform Consultant:
Cell Phone: +31 (0) 6 83330409

Join 1400+ ServiceNow professionals

Sign up to our monthly Flow@Work Exclusive newsletter to get free access to our expertise and lots of tips and tricks to make work flow on the Now® Platform.

Contact person

Carel Jansen
GRC Platform Consultant
+31 (0)30 76 02 670 Get in touch

Share article