IT Asset Managers Poised to Manage New Regulations

Starting May 25, 2018, the General Data Privacy Regulation (GDPR) transformed the way European Union organizations manage their users’ personal information. The regulation protects private data such as names, emails, and addresses, and determines how that data is processed, used, and distributed. The new rules reach across the pond and beyond as anyone offering goods or services to citizens of the EU are required to abide by the regulation.

The GDPR adjacent question on Capitol Hill is not whether the United States will enact similar laws, but when and how. Without a doubt, it is only a matter of time before U.S. citizens insist on similar protections and that task will go to a Congressional committee. If Congress passes such legislation then presumably every business in the U.S. will be obligated to follow extra steps to ensure their stateside customers have additional data security and preferences for interacting with their organization.

EU organizations were forced to add Data Protection Officers to their ranks to ensure security and compliance policies, procedures, and processes. In the United States those policies, procedures and processes are already the responsibility of the IT Asset Management department. Fortunately, the Data Protection Officer already exists as a role of an IT Asset Management professional. Organizations with a mature IT Asset Management program under their roof will not have to invest additional funds into more personnel.

Google Fined
The GDPR’s influence recently hit Silicon Valley when France’s National Data Protection Commission (CNIL) fined Google €50 million ($57 million). Google, which includes YouTube, Google Search, Chrome, Google Maps, and Google Play, is the first of the Silicon Valley giants to receive such an expensive penalty. 4% of an organization’s annual revenue is the maximum fine possible of being enforced by the GDPR. If Google had been given that sentence, it would have had to pay around $4 billion. Google is currently in the appeal process.

According to the CNIL there is an absence of the transparency Google so often claims to prioritize. The advocacy group accused Google of violating several GDPR rules:

  • Not providing clear consent terms to new and existing users
  • Not explaining the methods of collecting and processing the user’s data
  • Not explicitly stating in the terms and conditions how a user’s data is utilized
  • Not giving users the immediate ability to “opt-out”
  • Not allowing users to opt out of personalized ads which are an automatic, default setting
  • Not offering users the ability to erase their personal information which is known as “the right to be forgotten”

You may not be able to judge a book by its cover, but you can judge a shoemaker by his shoes. Not the shoes on the shelves, but the ones on his own feet. Google claims to be protecting its users, but there are holes in its shoes.

Lessons Learned
Non-compliance is non-compliance no matter the size of the organization in terms of personnel or profit or popularity. The mom and pop store down the street is just as responsible for compliance as Google is. There is a trickle-down effect to consider. If Google failed to abide by the GDPR and an organization used Google products and services, was that organization equally culpable? If an organization’s standard image included Windows, Adobe, and Microsoft and the contracts that accompany them and those companies do not abide by the GDPR, then, by default, are those organizations not equally liable? IT Asset Managers are poised to handle such situations. Every organization has the same obstacle in this instance but they also have the same opportunity to solve these issues by hiring an IT Asset manager.

What’s Next?
Eight months have passed since Europe executed the GDPR. Companies had two years before that to prepare. The Google fine should have been prevented, and could have been with a mature IT Asset Management program. Future incidents will be prevented but only if those organizations have an ITAM program managing proper data protection frameworks consisting of recommended best practice processes.

References
[1] Google first of the Silicon Valley giants hit by major GDPR fine, Tamlin Magee, 23 Jan. 2019, https://www.arnnet.com.au/article/656569/google-first-silicon-valley-giants-hit-by-major-gdpr-fine/
[2] Google Hit with First Big GDPR Fine, Chris Terwisscha van Scheltinga, 22 Jan. 2019, https://www.ganintegrity.com/blog/google-hit-with-first-big-gdpr-fine/
[3] Record Google fine shakes up privacy fight, Harper Neidig, 23 Jan. 2019, https://thehill.com/policy/technology/426520-record-google-fine-shakes-up-privacy-fight