Asset Records for GDPR Compliance: Do you know what you have and who has it?
We know that some areas of the EU General Data Protection Regulation, or the GDPR, can be a little overwhelming. The good news for you is that when it comes to information security audits, asset tracking and compliance, we have a solution that will help ensure you are fully GDPR compliant.
In order to be compliant with the GDPR, you must keep an up to date record of the business assets you have that are used to collect, hold or process personal data as well as a record of who has access to these assets. It is very important that as a business you have this accurate information available and that you can show transparency with regards to this area of GDPR compliance.
The business and IT assets that require mandatory tracking for GDPR compliance include your laptops and desktop computers, mobile phones, tablets, USB sticks, CDs and even, physical data records such as documents stored in folders and filing cabinets – any asset that collects, holds or processes personal data.
Why do I need to track my IT assets for GDPR compliance?
1. To prove you are collecting and storing personal data responsibly and legally
All businesses have a need to collect and hold personal data relating to customers, suppliers, associates and employees. In order for your company to be fully GDPR compliant, you must be able to demonstrate that you have control over the safekeeping of this data and as a result the assets that store this data.
You must know:
- Which assets your business has and uses that collect and store personal data
- Who has access to which of these assets, who uses which laptop/desktop, which mobile phone is theirs, etc
- What types of data are stores on each device or asset
- When this data should be erased
- Where these assets are, to ensure they have not fallen into the hands of an unauthorised person
- When these assets leave the secure office environment and who they are leaving with
2. In case of a data security breach
If your business experiences a data security breach, under the GDPR, this breach must be acknowledged, reported and investigated promptly following the incident.
In order for your business to know if there has been a security breach, you must know who is entitled and authorised to have access to the personal data your business holds. When this data is accessible by unauthorised persons, you have encountered a data security breach and must respond with corrective action immediately. If your business does not keep a record of all the devices it owns which hold personal data it will be very difficult or even impossible to discover the source of the breach.
3. To protect the rights of data subjects
A data subject is any person whose personal data is collected, held or processed. For your business, this could include your customers, employees, associates and suppliers and potentially others too. The GDPR outlines 8 data subject rights that you must comply with. With regards to information and data security, the following rights apply:
- Right of access. The right of data subjects to know and have access to the personal data held about them
- Right to be forgotten. The right of data subjects to have their personal data erased
- Right to rectification. The right to have data corrected where it is inaccurate or incomplete
- Right to object. The right to complain and to object to processing
- Right to restriction of processing. The right to limit the extent of the processing of the data subject’s personal data according to their wishes
If your business is unable to serve these data subject rights then you are not GDPR compliant. In order for your company and your team to be able to ensure these rights can be fulfilled, you must know what data is collected, stored and processed and on which devices. If, for example, a customer exercises their right to be forgotten, you must ensure that all data relating to this customer is erased. If you’re unable to recall all of the assets that at any point in time may have collected, stored or processed this customer’s data, then you are unable to fulfill the right of the data subject and you will be non-compliant.
4. To ensure information security assets are not lost from your business
If any asset, such as a mobile device, laptop or file containing personal data goes missing, you must be aware of this and you must take the necessary steps in order to rectify it. This may arise from a few circumstances, for example, an asset may be misplaced or lost or perhaps more commonly, an employee may leave your company and not return all assets they were provided with. What this means is that ex-employees who are no longer bound by your company’s policies and terms and conditions may have access to the data that your company collects, holds and processes on data subjects. This is a data security breach and will result in your business’ non-compliance with the GDPR.
As a business, you must have and maintain a comprehensive list of all the assets owned and used by your staff, with a clear indication of assets given to employees to use for the term of the employment. When an employee leaves, you must ensure every asset is returned to you, in order to maintain control of the personal data available on these assets.
How do I track my IT assets for GDPR compliance?
The solution to ensuring you are GDPR compliant with regards to your business assets and data security is to use an asset tracking system that allows you to create and maintain an up to date asset register.
This asset monitoring system must:
- Be easy to update, resulting in an accurate representation of your assets
- Must allow you to categorise those assets that are covered under the information security audit area of the GDPR
- Must permit you to restrict access to sensitive assets and only share with your team any assets that they are necessitated and authorised to see
- Must allow for employees to update an asset’s location if it is removed from the secure office/building environment
- Must allow you to record which assets have been assigned to which employees for the term of the employment
- Must allow you to record critical pieces of information, including who the asset is assigned to, when it is due for inspection, whether the device is password protection and who is authorised to log in to the device, the types of data collected, stored and processed on the device, to name just a few.
- Critical business assets such as laptops, desktop computers and mobile devices are crucial for the day to day running of your business. Because of this they should already be tracked and maintained for business purposes, but with the GDPR they now must be tracked and monitored to prove your company is GDPR compliant.
Using an Excel spreadsheet to keep track of your assets has never been a good solution (because Excel is not designed to manage your assets) and with the GDPR, it is not a satisfactory solution. If your business is looking for a simple and affordable tool to help you become GDPR compliant, check out itemit or drop us an email to find out more.
To learn more about the GDPR, check out this website.
Do you need a tool to create a GDPR compliant asset register?
Check out the itemit asset tracking tool now.
Start your free 14-day trial now
Instant access. No credit card details required.