Is the IT system management manual obligatory?


As of May 25, 2018, due to the entry into force of the GDPR, the previously applicable requirements for the documentation of personal data processing will no longer apply. One of the required documents before the GDPR was the IT system management manual. Should it be prepared now? Should GDPR-compliant documentation contain instructions?

IT system, IT system management and management instruction

An IT system is a collection of elements that process data using a computer. The IT system includes:

  • hardware - usually a computer,

  • software - these are programs that enable the use of a computer, e.g. applications, computer programs,

  • human resources - people dealing with the IT system, e.g. administrators,

  • organizational elements - procedures and instructions for using the IT system.

A helpful document containing guidelines on what conditions should be met by IT systems that are used to process personal data is the Regulation on the documentation of personal data processing and conditions for IT systems (Journal of Laws of 2004, No. 100, item 1024, as amended). This regulation specifies, inter alia, the manner of keeping documentation related to the processed personal data as well as technical and organizational measures for the protection of personal data. This documentation consists of the security policy and the IT system management manual (hereinafter referred to as the "manual").

The GDPR does not require that a document called "IT system management manual", However, you can support such a document in creating documentation in accordance with the GDPR.

IT system management is defined as the methods of dealing with the IT system so that the protection of the data processed in them is properly ensured.

The IT system management manual is a document that confirms that the processing of personal data in IT systems complies with the law.

Should the processing documentation compliant with the GDPR contain an IT system management manual?

The GDPR does not contain specific guidelines on how the documentation of data processing should look like. Here, it leaves the data controllers free as to the form and content of such documentation. The GDPR also does not require documents confirming the protection of processed data to have a specific name or elements. The only requirement posed by the EU regulation in this respect is the ability to demonstrate the application of personal data protection as well as the measures and safeguards that are taken for this purpose and that they comply with the regulations of the regulation.

However, the lack of formal requirements is not tantamount to the lack of the obligation to keep documentation in which the rules and procedures for the processing of personal data would be specified in accordance with the adopted legal, organizational and technical solutions.

Article 24 of the GDPR says that the controller implements appropriate technical and organizational measures so that the processing is carried out in accordance with this regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary. The requirement contained in this article means in practice that the method of data processing, the related procedures, as well as the technical and organizational security measures applied, should be included in the relevant documentation as fulfillment of the obligation to demonstrate that the requirements of the GDPR are complied with.

Summing up, if the IT system management instruction issued before the GDPR came into force meets the proper protection of personal data and meets the requirements of the GDPR, the given instruction can be considered valid. Moreover, the instruction can be extended with new elements, so that the documentation is compliant with the GDPR. This information system management instruction may have any name.

Information on what an IT system management manual may contain

The GDPR does not impose any formal requirements as to the documentation compliant with the GDPR, and even less as to the instructions for managing the IT system. However, if the administrator decides to create such an instruction as a separate document, it is suggested that such a document should contain:

  1. general information about the IT system used in the enterprise,

  2. information about personal data processed by the IT system,

  3. procedures (rules) for granting rights to process personal data, registering these rights in the IT system and the persons responsible for these activities, e.g. who can grant and revoke rights, where the register is kept, rules for assigning an account to the user,

  4. methods, authentication measures and procedures related to their management, e.g. requirements for passwords, logins,

  5. procedures for starting, suspending and terminating work by system users, e.g. a description of activities that should be successively undertaken when starting the IT system and completing work,

  6. procedures for backing up data as well as programs and tools for their processing (e.g. specifying for which data the data will be backed up, type of media on which the backup will be made and software tools and devices to be used for this purpose, backup schedule ),

  7. the method, place and time of storage of electronic information media and backups (e.g. indication of rooms where backups or information carriers are stored, how to protect them against unauthorized access),

  8. the method of securing the IT system against malware (e.g. identifying areas particularly exposed to the interference of computer viruses, risk sources and measures to minimize potential risk, as well as indicating the tools used to protect against malware),

  9. the manner of implementing the requirements for recording information about the shared data (e.g. to whom, when and to what extent the personal data have been disclosed - it is important that the IT system is able to save such information - it is not sufficient to include such information on the information carrier on paper),

  10. procedures for carrying out inspections and maintenance of systems and data carriers (e.g. determining the scope and frequency of inspections and maintenance and the persons authorized to carry them out). In the event that activities are outsourced to persons who do not have authorization to process data (e.g. specialists from external companies), it should be specified how the data controller will supervise these activities.

If the controller uses two IT systems with similar security solutions, it may develop one general IT system management instruction for data processing. If, on the other hand, different security measures are used in two IT systems, then the administrator must draw up separate IT system management instructions.

Start a free 30-day trial period with no strings attached!

Who can access the manual?

The IT system management instruction is implemented by the personal data administrator. The instruction prepared by the administrator should be adopted for use as a mandatory document.

The procedures and guidelines contained in the manual should be made available to those to whom they relate, e.g. instructions on the requirements for computer passwords should be made available to every employee logging on to the computer, and the requirements for granting access permissions only to persons who grant such permissions. .

IT system management and information security management

Finally, it is worth pointing out that IT system management and information security management are independent issues. They are not the same. And they cannot be put in "one bag".

IT system management is aimed at applying appropriate technical or organizational safeguards so that the IT system is not a threat to data security.

In turn, information security management has a broader scope than IT system management. It concerns the protection of all data - not only those stored in the IT system, but also those stored in cabinets, on a desk, etc.