ITIL 4 – Keep it Simple and Practical

April 15, 2019


ITIL 4 – Think and Work Holistically

April 12, 2019

Ten things changed in ITIL 4 (for those who know ITIL v3/ITIL 2011 edition)

April 12, 2019

This list is arbitrary. There are more changes (like the introduction of practices like project management or workforce and talent management).

The list then:

  1. BRM is now RM – to manage all relations with stakeholders, not just with the customers
  2. IT Asset Management is now separated from Configuration Management (likewise, Release Management is also separated from Deployment Management)
  3. Change Management is now Change Control (beneath it stays the same)
  4. Organizational Change Management (OCM) is now a practice (more vivid since ITIL practitioner)
  5. CSI Register is now Continual Improvement Register (CIR)
  6. Service lifecycle is gone. Look at Service Value System and Service Value chain activities instead. The service value chain activities are always present in the practices (its clear how practices contribute value unlike before with processes for the service lifecycle)
  7. Four dimensions (not unlike COBIT previous enablers, draw from the People, Process, and Products, and from Service Design’s 5 aspects) are always considered for complete service management
  8. Guiding principles (reviewed from ITIL practitioner) give explicit guidance (you can check sort cartoons on these on previous posts)
  9. Processes and functions are now practices. Grouped in general, service management, and technical management. 34 practices. Getting closer to COBIT here too (each practice has activities too)
  10. Incident and Known error definitions are simpler, non-ambiguous (yes!)

ITIL 4 – Collaborate and Promote Visibility

March 20, 2019

ITIL 4 – Progress iteratively with feedback

March 18, 2019

ITIL 4 – Start where you are guiding principle

March 13, 2019

ITIL 4 – Focus on Value guiding principle

March 12, 2019


January 31, 2019

This week I went to an event aptly dedicated to “Cyberdefense and cybersecurity”. These topics are fashionable and for good reasons.

The cyber suffix is more and more a reality and needs to enter our lexicon fast. Otherwise, we will soon be swept over by a world under a not so bright new order.

Beyond the obvious fears and calls to action, I captured these, starting from the one I think we all can do something about it:

  • Education – Surprise! Everyone, and especially the youth, as to step up on their awareness for the cultural and democracy shift brought by the post-Internet world. I place my bet here for informed people are wiser. Here’s one free online introductory course. Cybersecurity education resources can be found too.
  • Regulation – A need for a net of cooperation institutions from all sectors to bring order to the new wild west. Or face being ruled by big corporations as nations sovereignty keep declining. There’s hope from the UK. Also,  an informative report from ENISA.
  • Artificial Intelligence – Like other disrupting technologies, it did not bother knocking first before entering our lives. Really fast. It is already being used for cyberattacks.


Motivational Passphrase – the quest for a better password

September 8, 2018

Use longer passwords. With 15 characters and avoiding obvious words you’ll be quite safe.

Use an easy way to recall your passwords. Use motivational passphrases. Read the rest of this entry »

GDPR – Individual’s rights [part two]

October 18, 2017

As seen in the previous post, individual’s rights under GDPR are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

For this post, we will look at the last four listed above (you can check the first ones in the aforementioned post).

The right to restrict processing

Erasure is not always the right (no pun intended) thing to do. As when the original reason for process ends, there may be a legal obligation to hold that personal data (see picture below).

It’s also useful for controllers whenever data is inaccurate or when the legitimate basis for processing cannot be immediately proven.

Manage personal data lifecycle

GDPR for SAP: How to restrict personal data processing? by Michael Rakutko

You will be required to restrict the processing of personal data if:

  • An individual contests the accuracy of his personal data, you should restrict the processing until you have verified the accuracy of the personal data.
  • When processing is unlawful and the individual opposes erasure and requests restriction instead.
  • If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.

Examples of methods to restrict processing are given in Recital 67.  For instance, you can mark the personal data that has restrict processing over it.

Two communication obligations for controllers are:

  • impacted individuals must be informed by the controller before restricted processing is lifted.
  • If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data (except if it is impossible or involves disproportionate effort to do so).


Processing may be restricted but still possible when:

  • The individual explicitly consents
  • For establishment, exercise or defence of legal claims
  • For the protection of the rights of another natural or legal person
  • For reasons of important public interest of the Union or of a Member State.

The right to data portability

The data subject has the right to receive personal data he/she has provided to a controller.

The personal data must be in a structured, commonly used and machine-readable format (ICO gives as an example the ubiquitous CVS format) and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

This right applies when these two conditions are met:

  1. The processing is carried out by automated means
  2. The processing is based on consent given by an individual or it is necessary for the performance of a contract

The individual may request that the controller sends the personal data directly to another organization (if technically feasible). Note that the controller does not have to adopt or maintain processing systems that are technically compatible with other organizations.

Data portability is a new right under GDPR.


Data portability does not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.

The right to object

The data subject has the right to object when processing relates to:

  • Legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
    • unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
  • Direct marketing (including profiling)
    • In this case, the right to object should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
  • Scientific/historical research and statistics
    • unless the processing is necessary for the performance of the task carried out for reasons of public interest.

If this processing is carried out online, then the controller must offer a way for individuals to object online.

Rights in relation to automated decision making and profiling

GDPR includes safeguarding individuals against the risk that a potentially damaging decision is taken without human intervention.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” – GDPR, Art.22 (1)

Here we have new rights for the individuals regarding profiling.

Individual safeguards for the individual

In any case, such processing should be subject to suitable safeguards, which should:

  • include specific information to the data subject and the right to obtain human intervention
  • to express his or her point of view to obtain an explanation of the decision reached after such assessment
  • and to challenge the decision.

Fair and transparent processing

In order to ensure fair and transparent processing in respect of the data subject (including preventing discriminatory effects on a natural person), the controller should:

  • use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised


The automated processing is allowed if one of these is true:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller
  • is authorized by Union or local Member State law to which the controller is subject (which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests). The referred authorization may include fraud and tax-evasion monitoring and prevention purposes
  • the data subject gave his/her explicit consent.

Decisions taken from personal data profiling shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless:

  • there’s explicit consent from the data subject (except where prohibited by Union law or National Law)
  • or processing is necessary for substantial public interest.

Next topic will address minors rights.