General Data Protection Regulation (GDPR) (EU Safe Harbour v2)

johnthomas · ‎10-11-2017

We are a relatively small company (e.g. <100 employees), and we don't need the full-blown GCR module, etc. I was curious if anyone has come up with a good way to track data information, lifecycle, etc. I'm wondering if this could be handled with an extension of the CMDB_CI table and/or maybe a separate table, with a relationship to the CMDB_CI.

If not, I'm going to work on something, and I'm happy to provide whatever I come up with (if it is any good). But if anyone has already built and solved this problem, I would love to hear how you did it and/or any other advice anyone may have.

HarshTimes · ‎10-11-2017

Hi John

Data from which tables you want to track? Do you want to track only who updated the record and when it is updated?

Regards

Harsh

johnthomas · ‎10-13-2017

So, I'm not an expert [yet?], but GDPR (Home Page of EU GDPR ) requires you to track everywhere you have personal information stored on any system (electronic or even physical) for any citizen in the EU. In addition to tracking the existence, you also have to document the purpose for having it, how it will be used, if/when it will be destroyed; and you need to maintain the ability to provide evidence to any EU citizen, at their request, that all information about them has been destroyed.

Thinking out-loud here and as an example, you can have a CI like Microsoft Exchange and/or a CI-business service/application defined as messaging & contact services. Would it make sense to add attributes to CI classes like this to capture this GDPR information? Or would it be better (or worse) to create a specific GDPR table, with the appropriate fields to describe the data type/content, and then create a relationship to the relevant CI-types?

I previously modified our cmdb_ci table to add an attribute for PCI Scope, so on any CI, we can indicate the 'class' (screenshot below). But PCI seems to be more black & white (which I can't believe I'm saying PCI is more black & white than anything. 🙂 ). I could do the same for GDPR, but before I do, I just wondered if anyone had advice or already solved this problem a better way.

munwong · ‎01-28-2018

From a CMDB CI level tracking purposes, does it make sense to identify which CIs contain Personal Data? Perhaps an attribute "Contains Personal Data?" checkbox?

If we don't have GRC, can we manually track if a Business Service or Application is GDPR Complaint via an attribute? "GDPR Compliant?" checkbox?

HarshTimes · ‎10-13-2017

John, Are you looking to track only CMDB Data?If yes, then you can check for the CMDB baseline. CMDB Baseline helps to control the changes that has been made on the CIs. You can find more details about it in below link.

Baseline CMDB - ServiceNow Wiki

If you are looking to track other data also. I will suggest first make the list of the tables that you want to track.Second,do you want to track all the field on the form or some specific field.

Servicenow tracks very well the history of the data on the tables. For this you will be require to enable the audit for that table. It is not recommended to enable the audit for all the table. It will slow down the system while viewing the history. So it is very important to decide first what we want to track. OOB Servicenow does not allow to create a report on the history table. the reason is same . This contains millions of data and will slow down your system.

If you want to track the specific field on the table, you can setup metrics.Metric helps in reporting. You can find more details about the metric in wiki or docs. Metrics

Regards,

harsh