Insights | Thirdera

Take Control of Privacy Management with Thirdera and ServiceNow

Written by Joe Salem | 18/08/2022 8:27:06 PM

CCPA, GDPR, VCDPA, FCRA, FERPA, the list keeps going. And no, these aren’t just the latest cool internet abbreviations (YOLO). They are all part of the growing list of Privacy Regulations that companies in today’s world must be aware of and comply with. You’ve probably seen the long, often-skipped over, privacy agreements that come with opting into new products and services, and as the amount of data we agree to share with our devices and services grows, so too will that list of regulations. With that growth comes new demand in the privacy sector, and that combination of resource demand and increasing regulation puts strain on existing privacy management teams. Fortunately, the same growth in technology that has spurred the regulatory growth has also led to strides forward in the technology privacy managers can leverage. One such technology is ServiceNow.

The ServiceNow platform, which made a name for itself initially in the ITSM space, has an ever-expanding suite of products that can be leveraged by organisations to meet demand in a number of sectors. This includes areas like Human Resources, GRC, Security Operations, Customer Service, Privacy, and a lot more. There’s power (and value) in centralising various tasks and business processes in one tool; and, with the right security advisor, privacy management teams can realise that power to combat a number of growing challenges in their space.

 

The Importance of Tracking Personally Identifiable Information

One major challenge Privacy Managers are facing today is the tracking of PII (Personally Identifiable Information) across the organisation. Understanding which systems process and handle PII data, and what elements of PII they touch, is critical in determining what action needs to be taken against those systems to remain in compliance with regulations. And while siloed privacy management tools can certainly assist with managing that repository, ServiceNow combines those repository features with other widely used and valuable aspects of the platform - Asset Management (ITAM), Business Management (ITBM), and Service Management (ITSM). At the core of all of those platform services is something called the CMDB (Configuration Management Database), which serves as the central repository of things like hardware, software, business services, and the related relationships between those things. Storing that data in a centralised place empowers things like associating tickets in Service Management to actual hardware or software or being able to understand how outages of singular elements or services can affect upstream business processes. Then, from a privacy perspective, that same CMDB would allow mapping of those PII objects to any of the individual elements of the organisation, including the hardware, software, services, processes, etc. So, for any item we are tracking as an organisation, we would be able to view all of the PII elements it touches, as well as any upstream or downstream relationships and the PII those related items touch. Privacy managers then wouldn’t be tasked with maintaining the actual repository of assets, but instead can focus on using that existing repository to hold their mappings of PII. We could even take it a step further on the same platform, and track control compliance against those assets or send out PIAs (Privacy Impact Assessments) for them, but I’ll save that discussion for next time.Example Business Application record in ServiceNow, showing an application that consumes PII. Note the Information Objects (elements of PII) that are in the "Related Items" section at the bottom.

 

Time to Start Taking HR Seriously

While PII tracking is an awesome feature of the ServiceNow platform, it’s not the only feature ServiceNow brings to the table for privacy teams. In addition to needing to know what systems process personal information, privacy teams are charged with ensuring that processes within the organisation that actually intake PII are running in a way that adheres to regulations. As we mentioned, with the number and breadth of regulations increasing, and with increased scrutiny in this space, privacy teams are needing to ensure that their organisation isn’t dropping the ball in any sector. One such sector which is often overlooked in the handling of PII is HR. Employee and applicant data contains PII too, and HR departments (which are often busier now than ever) aren’t always fully aware of all of the things they need to be doing to ensure regulatory compliance with the handling of that data.

Fortunately, the ServiceNow platform can assist there as well. With a robust feature set in the Human Resources (HR) Management space, ServiceNow has introduced dedicated workflows to assist with many common HR use-cases. While the HR applications can do a lot for the organisation across several phases of Human Resources (like Recruiting, Communications, and Offboarding), one area in which it can help privacy teams specifically is in the organised collection of HR information.

To facilitate aspects of the HR feature set, and in relation to capturing new-hire information (which as mentioned is often PII itself), ServiceNow introduces an HR Service Portal to the organisation. In addition to some cool functionality, like storage of HR documents, the ability to find or ask HR questions, or the ability to chat with the HR department, the HR Service Portal can serve as a central place to capture information from our new hires in a more structured and organised way. We can do away with paper copies and emails containing critical forms loaded with PI, and instead have users download, upload, and even directly fill out forms and information in this portal. Similarly, users get access to directly request and track requests for HR services, like benefits, reimbursements, or direct-deposit. Again, fewer emails and more centralised processes mean we can better streamline and protect information being transferred in these processes. So with ServiceNow HR, your users get an easier mechanic for all things HR, and the privacy team can rest easier knowing the organisation has decreased risks associated with handling all of the PI collection that comes with the new hire process – it's a win for everyone!  

In addition to the new hire collection aspect facilitated by the HR Portal, there is also value in having HR processes, and the other data collected from those processes, in one central platform (and ideally the same platform we run our compliance activities out of). With that data centralised in ServiceNow, we can set up metrics, reports, and automated tracking (like ServiceNow Indicators) to ensure we are compliant across all facets of our HR program that processes PII. Take for example the collection of the applicant, or lead data, that would stem from a standard hiring search. Many key privacy regulations, such as GDPR, have regulations about what can be collected, length of storage, and more. With the data centralised in ServiceNow, we can use platform reporting, and automated tracking, to ensure we are doing the things we need to do to meet these requirements and remain compliant with privacy regulations. If for any reason we aren’t, the ServiceNow platform has the capability to notify us, or even generate compliance issues for remediation. Centralising processes in ServiceNow can yield tangible results to prove compliance, and reduce the manual burden of tracking those results.

Example HR Portal Screenshot (Source: https://docs.servicenow.com/bundle/sandiego-employee-service-management/page/product/human-resources/concept/c_UseTheHRSMPortal.html)

 

Improve Customer Data Collection with CSM

We’ve established ServiceNow can assist with a repository of PII, and with adhering to regulations around hiring processes PII, but it can also assist with collecting some of the PII data that comes from customers. This assistance is provided through ServiceNow’s Customer Service Management (CSM) application and portal. While the core functions of the CSM application are to automate workflows around customer service and allow customers to make requests of the org (which are both extremely valuable in and of themselves), the application can also be leveraged to give customers a place to fill out the information you need to collect. That functionality can help alleviate the manual burden of information collection, and in turn, rectify many of the issues associated with manual or poor data collection processes. One such example is data silos. When collecting customer data, siloed data can leave more open areas of exposure, and worse it can lead to data breaches with slow reaction times to them. By centralising data in the ServiceNow platform, we can reduce the number of applications we need to maintain and thus decrease potential vulnerability points. By having customers provide data directly into the platform with the CSM application, we can take that a step further by limiting middle-man collection or the aforementioned manual collection and input. Along those same lines, once that data is no longer siloed, we can leverage ServiceNow base platform capability to tackle other common issues with data collection like weak passwords or too broad access (by setting password policies and managing roles). Bringing us full circle, remember we can also then an associate that collected data to the applications which will need to process it, allowing our privacy team to then assess the appropriate controls against relevant applications or services.

 

Parting Words

Hopefully, this has helped display how ServiceNow is tackling some key areas of concern for Privacy Managers. Data repository management, Human Resources, and Customer Service data are all key areas of concern that the ServiceNow platform can help alleviate. And while these are awesome features, they are certainly not all that ServiceNow has to offer. With industry-leading applications in IRM (Compliance, Risk, Audit, Privacy, and more) and Security Operations (Vulnerability Response, Security Incident Response, and more) ServiceNow can actually handle the entirety of your Privacy Management and Compliance needs. There’s power in breaking down silos and standardising processes in one platform, and ServiceNow is a great choice to help realise that power. So, fortunately, even as the number of regulations and challenges Privacy teams face grow, there is technology out there that can be leveraged to offset that.

Stay tuned for additional materials on how Thirdera and ServiceNow are making it easier for you to comply with regulations. In the meantime, talk to one of our ServiceNow experts to hear how we can help you realise your Privacy Management goals.