tel: +44 (0)1908 303670

GDPR for IT Service Management


GDPR for IT Service Management – Cherwell Blog Article

“We use our Cherwell – ITSM tool for running our support function, how does GDPR affect me?”

“We only use our ITSM tool for tracking customer support calls, it doesn’t come under GDPR does it?
This question really depends on how you define Personal Data and what you have in your Cherwell ITSM tool.

What is Personal Data? (under GDPR)

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

What Personal Data do you have in Cherwell?

Every business is different and the data stored in Cherwell is also therefore going to be different, but let’s look at the likely candidates.

General Information

  • Name – perhaps even full name
  • Address – might be office address, could even be home address
  • Telephone number – work number, maybe and quite possibly mobile number
  • Department
  • email address – work email, maybe personal email
  • Work location, may be different to address above
  • Job Title
  • Position in company, i.e. might be a VIP for example


Sensitive Information

  • Date of Birth
  • Mother’s maiden name
  • Answers to security question – revealing name of first pet, first child’s name etc. etc.
  • Passwords – which ‘might’ be the same for other systems (i.e. their email)
  • Employee Number
  • Any other unique identifier


Business Specific Information (examples only – there could be many of these)

  • Bank Details
  • Working Hours
  • Utility meter locations
  • Where to leave parcels
  • System access details
  • Service offerings
  • Prices paid for specific services
  • Usernames

“Ouch, we have at least, some of those types of information (data types) does that mean GDPR applies to us?

YES, it does.


It also doesn’t matter whether the information is relating to external clients/customers or internal employees. It is all still Personal Data.

That’s Data, is there anything else we need to think about, and can ThebesGDPRAuditing help?

Once you know that you are holding Personal Data you need to start doing something about it.

ThebesGDPRAuditing are able to provide help and guidance around all areas of Cherwell and GDPR, and along with our partners can provide businesses with a complete end to end service ensuring that your systems, processes, and procedures are ready for GDPR.

“But what sort of things should I be looking at?”

  • Somewhere to record all your GDPR activities for accountability
  • Somewhere to log and track requests from data subjects
  • A workflow tool to enable breach reporting in 72 hours
  • A data subject portal so data subjects can see their data, make requests and manage consent
  • A DPO Dashboard so you can see how your organisation is coping with GDPR
  • An Executive Dashboard to keep your main stakeholders up to data
  • Somewhere to record and track all the remediation tasks
  • Somewhere to build a data retention schedule with automatic reminders for removal 

“It would be great if I could find a tool that does all of that, but which one?”

Cherwell is the only mainstream ITSM tool that has a comprehensive GDPR module, which provides all the functionality above and more.

ThebesGDPRAuditing have created a Cherwell GDPR Management platform that sits right beside your existing Cherwell implementation and integrates seamlessly meaning you don’t have to buy a new tool, or learn a new way of working.

The ThebesGDPRAuditing GDPR Management platform natively provides a solution for helping you reach compliance with your Cherwell instance, but it also works with the rest of your business.

  1. Why run multiple tools when you can use Cherwell?
  2. What other tools will integrate so well?
  3. What better tool to use than one that is specifically designed for requests, incident tracking, workflow management, building portals, and with audit trails to provide that all important accountability.

“So, what’s the worst that can happen on the 25th May 2018?”

ThebesGDPRAuditing can help with every aspect of GDPR

See what the GDPR Management platform can provide to help you make GDPR business as usual.

We can also help with many of the other aspects of GDPR and integrate it all into your Cherwell instance: –

  • Track what data you are holding
  • Document where it’s coming from and going to
  • Determine who has access to that data and where from
  • Create a security model and define a strategy for your Cherwell instance which: –
    • Secures access to the data for only those who need it
    • Prevents your data being stored outside of the EEA zone
    • Redefines contracts for your ITSM providers and hosting partners
    • Restricts access to your data by role, geography, data type etc.
    • Enables data portability
    • Facilitates the right to be forgotten
  • Integrate the GDPR portal with your current one to provide a secure mechanism for all data subjects to maintain data accuracy
  • GDPR audit trails to demonstrate accountability
  • Integrate other systems with the platform to automatically delete selected data at the end of its life – according to the data retention policy

These are just some of the activities you might want solutions for.

“Can my ThebesGDPRAuditing GDPR Management platform tool help the rest of my business with GDPR?”

In short YES.

GDPR is likely to touch your business in all kinds of ways, your data Cherwell is one piece of the jigsaw.

But you can talk to ThebesGDPRAuditing and our partners about how we can help you use your ITSM solution to help the rest of your business comply with GDPR


“So, I really need to sort out my ITSM platform before the 25th May?”

In short YES.

Partnership with GDPRAuditing


Thebes Group are pleased to announce a partnership with GDPRAuditing to collaborate on a GDPR Solution for Cherwell.

The collaboration is well under way and we are going to be demonstrating the product offering at the Cherwell EMEA Conference 2018, taking place in Reading on the 17th and 18th April. The product will be available through the Cherwell MAPP Store, and will leverage the power of Cherwell to help you comply with the GDPR.

Our application provides a compliancy toolkit enabling you to track and service all GDPR requests from data subjects. A portal, where data subjects can keep their data up to date and accurate, manage all consents required for your business; extract their own data for access requests and portability.

Additionally, the compliance dashboards (for your DPO & C level) provides reports on all data subject activity, manages and tracks security awareness, logs, tracks data incidents and includes a streamlined mechanism for reporting breaches.

The application facilitates the easy creation, updating, and publishing of privacy notices, along with the creation and tracking of GDPR remediation tasks. The application provides an electronic, data retention schedule and a corresponding data asset inventory. All activities are fully logged and tracked for accountability, SLA’s are tracked for time bound events such as one month for a subject request and 72 hours for reporting a data breach to the ICO.

The product also includes a comprehensive knowledge base covering the GDPR in general and application usage as well as common template documents you can down load and use.

Future releases will have complete DPIA workflow, DPO scheduled task list, and data integrations with common and bespoke data sources within your business.

The application has been designed and developed by Thebes and GDPR Auditing, to provide a product that is fully aligned with the GDPR and helps you fulfil the responsibilities the GDPR imposes on your organisation.

Cherwell Partner