tel: +44 (0)1908 303670

GDPR for IT Service Management


GDPR for IT Service Management – Cherwell Blog Article

“We use our Cherwell – ITSM tool for running our support function, how does GDPR affect me?”

“We only use our ITSM tool for tracking customer support calls, it doesn’t come under GDPR does it?
This question really depends on how you define Personal Data and what you have in your Cherwell ITSM tool.

What is Personal Data? (under GDPR)

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

What Personal Data do you have in Cherwell?

Every business is different and the data stored in Cherwell is also therefore going to be different, but let’s look at the likely candidates.

General Information

  • Name – perhaps even full name
  • Address – might be office address, could even be home address
  • Telephone number – work number, maybe and quite possibly mobile number
  • Department
  • email address – work email, maybe personal email
  • Work location, may be different to address above
  • Job Title
  • Position in company, i.e. might be a VIP for example


Sensitive Information

  • Date of Birth
  • Mother’s maiden name
  • Answers to security question – revealing name of first pet, first child’s name etc. etc.
  • Passwords – which ‘might’ be the same for other systems (i.e. their email)
  • Employee Number
  • Any other unique identifier


Business Specific Information (examples only – there could be many of these)

  • Bank Details
  • Working Hours
  • Utility meter locations
  • Where to leave parcels
  • System access details
  • Service offerings
  • Prices paid for specific services
  • Usernames

“Ouch, we have at least, some of those types of information (data types) does that mean GDPR applies to us?

YES, it does.


It also doesn’t matter whether the information is relating to external clients/customers or internal employees. It is all still Personal Data.

That’s Data, is there anything else we need to think about, and can ThebesGDPRAuditing help?

Once you know that you are holding Personal Data you need to start doing something about it.

ThebesGDPRAuditing are able to provide help and guidance around all areas of Cherwell and GDPR, and along with our partners can provide businesses with a complete end to end service ensuring that your systems, processes, and procedures are ready for GDPR.

“But what sort of things should I be looking at?”

  • Somewhere to record all your GDPR activities for accountability
  • Somewhere to log and track requests from data subjects
  • A workflow tool to enable breach reporting in 72 hours
  • A data subject portal so data subjects can see their data, make requests and manage consent
  • A DPO Dashboard so you can see how your organisation is coping with GDPR
  • An Executive Dashboard to keep your main stakeholders up to data
  • Somewhere to record and track all the remediation tasks
  • Somewhere to build a data retention schedule with automatic reminders for removal 

“It would be great if I could find a tool that does all of that, but which one?”

Cherwell is the only mainstream ITSM tool that has a comprehensive GDPR module, which provides all the functionality above and more.

ThebesGDPRAuditing have created a Cherwell GDPR Management platform that sits right beside your existing Cherwell implementation and integrates seamlessly meaning you don’t have to buy a new tool, or learn a new way of working.

The ThebesGDPRAuditing GDPR Management platform natively provides a solution for helping you reach compliance with your Cherwell instance, but it also works with the rest of your business.

  1. Why run multiple tools when you can use Cherwell?
  2. What other tools will integrate so well?
  3. What better tool to use than one that is specifically designed for requests, incident tracking, workflow management, building portals, and with audit trails to provide that all important accountability.

“So, what’s the worst that can happen on the 25th May 2018?”

ThebesGDPRAuditing can help with every aspect of GDPR

See what the GDPR Management platform can provide to help you make GDPR business as usual.

We can also help with many of the other aspects of GDPR and integrate it all into your Cherwell instance: –

  • Track what data you are holding
  • Document where it’s coming from and going to
  • Determine who has access to that data and where from
  • Create a security model and define a strategy for your Cherwell instance which: –
    • Secures access to the data for only those who need it
    • Prevents your data being stored outside of the EEA zone
    • Redefines contracts for your ITSM providers and hosting partners
    • Restricts access to your data by role, geography, data type etc.
    • Enables data portability
    • Facilitates the right to be forgotten
  • Integrate the GDPR portal with your current one to provide a secure mechanism for all data subjects to maintain data accuracy
  • GDPR audit trails to demonstrate accountability
  • Integrate other systems with the platform to automatically delete selected data at the end of its life – according to the data retention policy

These are just some of the activities you might want solutions for.

“Can my ThebesGDPRAuditing GDPR Management platform tool help the rest of my business with GDPR?”

In short YES.

GDPR is likely to touch your business in all kinds of ways, your data Cherwell is one piece of the jigsaw.

But you can talk to ThebesGDPRAuditing and our partners about how we can help you use your ITSM solution to help the rest of your business comply with GDPR


“So, I really need to sort out my ITSM platform before the 25th May?”

In short YES.