As most of you are hopefully aware, as of May 2018 any organization that handles personal data of a subject in the European Union (EU) must comply with the GDPR.  Don’t mistake this for a regulation that just applies to Europe.  With the internet, there are no boundaries, and as such there are many Asian, Latin American, and US companies that store or process things like credit card transactions, financial information, names, photos, or even social posts of European subjects.  The penalties for non-compliance are high and meeting the compliance standards can be challenging.  Get some quick facts and best practices in this two part series Part I and Part II.


OK, take a breath. You know it’s challenging, so let’s get beyond the sobering reality of the coming of the GDPR and talk about what can be done to help you comply.


The ServiceNow GRC portfolio of applications: Policy & Compliance Management, Risk Management, Audit Management, and Vendor Risk Management provide the spectrum of coverage necessary to help address even the most rigorous regulations (like the GDPR).   When you include Customer Service Management, Security Incident Response, and Performance Analytics can do even more.


Let me give you 9 ways that ServiceNow GRC can help:


1. Import GDPR requirements and description

ServiceNow provides some out-of-the-box content, but also integrates with the Unified Compliance Framework (UCF).  UCF provides over 800 authority documents including GDPR.  A license to import the GDPR content from the UCF Common Controls Hub is required.  ServiceNow GRC can then map the identified GDPR requirements directly into the application, with underlying citation and controls needed for compliance checks and continuous monitoring.


   Policy management

There are many organizational policies associated with the GDPR requirements - existing ones may need to be aligned while others developed.  Some policy examples include: data protection policy, security policy, and code of conduct. ServiceNow GRC full policy lifecycle management includes drafting a policy according to requirements through review, approval, publishing (to a knowledgebase), and retirement stages.  A policy can include in the description the GDPR requirements it is designed to align with.


The VENDOR compliance status ON REGULATORY REQUIREMENTS is reported on the Policy and Compliance dashboard.  The controls status is automatically updated, while issues are automatically created and assigned to the responsible party. Progress is tracked to remediation.


2. Data Protection Impact Assessments (DPIAs)

DPIAs are required to assess processing operations that result in a high risk to data subjects.  Within ServiceNow GRC, data protection assessments can be aligned with data protection policies and underlying requirements.  The internal Assessment Designed can be used to create the assessments, which can then be scheduled.  The compliance status is reported on the Policy and Compliance dashboard.  The controls status is automatically updated, while issues are automatically created and assigned to the responsible party. Progress is tracked to remediation. Vendor/Third Party Risk assessments can be managed through the Vendor Risk Management application and the vendor portal.

GRPR Compliance Hi-Res.png


3. Risk evaluation and management requirements

GDPR requires organizations to appropriately evaluate and manage data protection risk.  The Risk Management application supports a full risk management lifecycle process.  Risk identification and compliance statistics can be made transparent, and a notification can be sent automatically or manually to a Supervisory Authority (SA) at the time of a breach with the associated risks.  Data processing on the information layer with personal data can be implemented.  Pseudonymizing and encryption functionalities from ServiceNow help address compliance requirements.  Finally, ServiceNow GRC provides controls to check Confidentiality, Integrity, and Availability of systems and applications.


4. Audit requirements

ServiceNow Policy & Compliance and Audit Workbench dashboards provide the ability to monitor the global level of compliance to the GDPR.  Audits can be scheduled targeting the organization and its personal data sensitive systems – tracking any corrective actions to conclusion.


5. Data subject requirements

Data subjects have specific rights over the processing of personal data.  You can utilize the ServiceNow Customer Service Management, Vendor Risk Management, and Service Portal to interact with data subjects (e.g. customers, staff, third parties, or contacts), as well as for content, PII amendments, policy announcements, guidelines, etc.


6. Personal data asset requirements

Protecting personal data or information requires the ability to attest to controls, assess risks, and perform audit assurance for the information assets and the systems supporting them.  ServiceNow GRC is unique in that its built on the Now platform, which includes a built-in Configuration Management Database (CMDB) to manage information assets and associate them with other Configuration Items (CIs).  A few of the capabilities to fulfill personal data asset requirements are: managing risks, continuous control monitoring, and data protection impact assessments on information assets as well as on business services or IT CIs.


7. 72-hour breach notification

If a breach has put personal data at risk the Supervisory Authority must be notified within 72-hours with details and the response to the breach outlined.  Security Incident Response        works together with GRC and workflows in the platform to ensure the necessary details are available and communicated effectively.


8. Managing 3rd-party GDPR compliance

Vendor Risk Management provides the means to help you appropriately assess your  3rd-parties to ensure they are providing the appropriate technical and organizational                 measure to ensure the protection of personal data you make available to them.  Vendor Risk uses the unique Vendor Portal to consolidate communicates and facilitate collaboration.


9. Data Protection Officer (DPO) Dashboard

The DPO is the individual in the organization responsible for ensuring compliance and the immediate reporting of breaches.  ServiceNow Performance Analytics and the Service Portal offer the ability to create dashboards specific to your role and responsibility in a matter of minutes, so that information like incidents by location, risk scores, and GDPR compliance is at your fingertips.

DPO for WP.png

The ServiceNow GRC portfolio can help get you on your way to complying with GDPR.  To learn more about best practices or get more details about what I’ve talked about here, read our whitepaper “Preparing for the General Data Protection Regulation” at


View ServiceNow’s commitment to GDPR on our Trust Site