By now, your organisation will already be in full swing with database cleaning, updating data handling policies and have a data officer leading the charge. But have you missed anything? IT Support Desk teams have greater access to data handling systems than the average staff member and therefore need more guidance than some departments.
IT Support naturally wants to keep an audit trail for monitoring, performance reporting and training purposes, however, it is very easy for personal data to find its way into tickets that needn’t be kept for long at all. For example:
- A remote worker asks for a hardware device to be deployed to their home address
- A work phone fails -the user supplies their personal number so you can reach them
- An HR system has an issue, a user sends you a screenshot including employee data
In each of these cases, the data does not need to be held as part of the audit trail but can easily end up sat in your ticketing system unnoticed unless you have planned in advance on how to manage them.
Training, training and more training: It goes without saying that training your IT Support Team is imperative, but so is training the users themselves. The easiest way to mitigate risk is to avoid collecting unnecessary personal data in the first place and if both analyst and user are conscious of the fact, then compliance becomes less burdensome on your team. Your organisation should also have a plan in place on how to provide a data subject with their records should they ask for it.
Carefully manage system access rights: Conduct an assessment to decide who really needs access to which systems. This applies company-wide, not just to your team and your Data Officer and IT Security resource should be working with you to determine access rights. Fewer people having access to personal data will inevitably lower GDPR breach risks.
Ditch the dead data: Do not hold records longer than necessary. In most cases, a ticket should not be needed after 30-45 days in order to carry out your audits and reporting. Run your support desk metric reports regularly enough that you don’t have to hold on to tickets for any longer than necessary.
Automate GDPR audits: Take as much of the legwork out of your auditing process as possible by running scripts that will help you flag potential personal data items. However, be careful with non-textual items such as voice calls and images (screenshots). These will require a more manual approach, so do plan how to limit collecting this kind of data and lighten the auditing load.
Some environments will be more prone to picking up personal data than others. Therefore, it is crucial that all IT Support Desk analysts and their customers understand their duties, rights and the processes that are in place in order to engage with GDPR standards. I hope that these tips will help you put the finishing touches on your compliance practices.