GDPR and ITIL – a match made in….

As someone who often browses LinkedIn you are bound to read at least few articles about the General Data Protection Regulation or GDPR. A lot of people have tried to first explain it, then warn about it and finally sell some magical software that by click-click-click allows you to be fully compliant.

Last week I decided to take my own read and see what the big deal about GDPR is. To put it as short as possible, it is big. Deadline is 25 May 2018 or in 10 months. You might think this is more than enough (especially if you buy the magical software), but for me it will be a last minute success, if you start now.

Why should you care about GDPR?

I can give you enough reasons. In the worst case, you will be fined 20 million or up to 4% of your annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

What is needed to comply?

There are few key points within GDPR:

  • Consent – Valid consent must be explicit for data collected
  • Pseudonymisation – The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption. So, in short, encryption of data will be a must.
  • Data breaches – reported to the proper authority within 72 hours
  • Right to erasure – per person’s request all data related must be deleted
  • Data portability – per person’s request it shall be possible to transfer their personal data from one electronic processing system to and into another.

Sounds very technical so far, right? Encryption, Data migration and erasure, but the last point is where I started thinking “Hmmmm, this is not a technical challenge, but an organizational one”.

  • Data protection by Design and by Default – data protection is designed into the development of business processes for products and services. Mechanisms should be implemented to ensure that personal data is only processed when necessary for each specific purpose.



Now, when we go over the key GDPR points, we notice that there will be a lot of customer interactions. We will need to have mechanisms to ask for consent and to keep it until erasure is requested. So, in short we will have a lot of customer requests, and if we translate this to ITIL, we will need to have a great Request Fulfilment process, because the volume of these requests can be thousands to millions.

Can the volume or the impact of these requests jeopardise our service delivery? Maybe, so we will need solid Change Management and Release and Deployment Management processes.

What about data breaches? Is our Incident Management process up to the task of quickly recognising such an occurrence and are there clear procedures that need to be followed? Who will perform those procedures? Is it a Service Desk task? Can we prevent those breaches from not even happening via our Problem Management process?

The questions keep growing up, so as you can see this is clearly not a pure technical problem anymore.

How can ITIL help to comply with GDPR

The main advantage of using ITIL in the light of GDPR is that it will help us structure our approach and by implementing or adapting our processes and procedures, reach full compliance. Obviously, as stated above, the stake here is big, there will be a lot of efforts needed to continue to perform your service delivery at optimal level and keep up with this new legislation.

Via ITIL you can make this topic part of your Service Strategy and your Governance model, so that even before you reach Design all GDPR aspects are addressed and budgeted. Thus you will ensure that this is not tackled as a pure technical issue, but holistically and throughout the whole service lifecycle.

I hope that with this short article I showed you how one can use the best practices collected in ITIL to address one of biggest challenges of 2018 – the General Data Protection Regulation. The deadline is near, so don’t wait for the last moment, start thinking about those key aspects and expect a change in the way we interact with our customers. They are becoming more and more sensitive about their personal data, so we need to be up to the challenge.


Nikola Gaydarov

Director IT Service and Project Management

Nikola has been in the IT sector for almost 10 years. He started his career in HP Global Delivery Center back in 2007 and since then has been involved in many different roles: technical consultant, operational manager, transition manager and ITSM implementation consultant. During these years he has worked both domestically and in Western Europe.