The IAITAM ACE conference that was held in Dublin on September 1 and 2, 2015 had the usual interesting speakers, vendors and hallway discussions. There was however, one presentation that stood out for me in its potential impact and that was Ann J. LaFrance from Squire, Patton Boggs, a law firm who provided an overview of the “Draft EU Data Protection and Network Information Security Laws on ITAM and ITSM”.
The reason this stood out for me is simple; it is incredibly easy to see how these laws will have global ramifications. This blog only really touches the surface.
First, some details. The EU classifies Personal Data rather broadly – namely:
Any information relating to an identified or identifiable natural person (i.e. one who can be identified) directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person.
The US, classifies personal data rather narrowly – namely:
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or data elements are not encrypted:

  • Social security number
  • Driver’s license number
  • Account or credit card number combined with security code, access code or password allowing access to a financial account

Without getting into specifics, both the US and the EU have data protection provisions over “personal data”. The interesting issues arise when you look at where the EU is going with the protection of personal data. This will have impacts on ITAM programs across the world.
First, every organization that controls the personal data of others is responsible to have policies and measures in place to ensure that they are demonstrably compliant with the EU regulations.
Second, these data controllers must perform a data protection impact assessment prior to doing any data processing activity that present a “high risk” to the rights and freedoms of data subjects including:

  • Systematic profiling activities
  • Processing of sensitive personal data

If a non-EU Government/court requests a company to disclose EU personal data, the data controller or processor must:

  • Inform the relevant data subject(s)

So, if a search is being conducted for someone who is participating in illegal activity, that person would need to be notified that they were having their data made available.
The more major impact, however is to the potential for fines. The European Parliament advocates fines of up to 5% of annual worldwide turnover or EUR 100 million, whichever is greater if organizations do not adequately protect the privacy of their users due to either intentional actions, or neglect. Add to this the private damages that will be allowed, and many smaller organizations will simply disappear if a data privacy issue is found to be caused due to negligence.
So what does this mean to the average ITAM user?
Well, they need to automate as much of their software lifecycle as possible – especially the update and patch process to ensure that their systems remain secure. Fortunately, 1E products help with that by making organizational deployment and installation of software and patches, faster and more reliable without negatively impacting remote office network bandwidth.
The potential for fines coming from the EU are massive and likely to cause a number of companies to simply close their doors if they do not apply tools and technology towards software lifecycle management. Make sure your company is not caught flat-footed and contact 1E to find out how your software lifecycle processes can be sped up and automated.