How to easily comply with the GDPR for data present on the ServiceNow instance?

There is an increasing number of security and privacy regulations being created and managed by governments and organizations around the world.

GDPR in Europe is arguably the most well known set of data privacy rules. Companies caught not complying, for example, not abiding by those right to be forgotten mandates and can be subject to substantial fines.

Organizations know how it can be difficult to have a complete knowledge of the data stored in database, files and how it is even more difficult to anonymize sensitive data especially on legacy systems or large databases in place for many years.

ServiceNow platform gives the way to manage very easily the data privacy for data stored in the instance.

The first step is to classify the data stored and, if needed, to discover the data.

ServiceNow Data Classification is a standalone process in which you manually apply data classifications to existing dictionary entries in any table.

ServiceNow Data Discovery is a capability which permit to identify the sensitive data by applying intelligent discovery capability to the tables we target, and find what data we have, where it is located and who has access to it. 

It elevates compliance levels and reduce risk by identifying sensitive data and avoid potential threats and negative impact to your brand.

After classification, ServiceNow’s customers are mainly implement 3 use cases on the platform:

The first is for GDPR right to be forgotten requests – let’s say an employee leaves a company or a customer of ours has their own customers (e.g. with customer service management) where they need to anonymize customer data. You can easily select a user and anonymize PII associated with that user in a production instance.

The second is to automatically anonymize personal or sensitive data in sub-production instances during cloning.

It permits to optimize security by hiding the sensitive and not necessary part of the data for developers and third parties, while retaining part of the data for relevant application tests.

The last is more about data archiving, data purge or the anonymization of archived data.

To comply with GDPR on data archiving and purge, you can use the data archiving capability and purge or anonymize the archived data.

Anonymization is an irreversible process. For customers wishing to hide sensitive data from users, including administrators, while keeping applications and reporting operational, or wishing to retain the ability to access sensitive data, it is possible to use application level encryption (ServiceNow Column Level Encryption Enterprise