Any firm operating in the EU, or handling the data of EU residents, needs to ensure it is compliant with the new data protection laws that are in force. If they get it wrong, the fines for noncompliance could be as high as €20m, or four per cent of global annual turnover. For some businesses, including managed service providers (MSPs), this could be the difference between profit and loss.
Some analysts are predicting the total fines will be in the billions if businesses fail to meet their obligations under GDPR. But what about MSPs? Are they really GDPR-ready—and does it offer opportunities to protect their customers? If MSPs are unprepared, they could be in real danger of putting their role of “trusted advisor” to their customers at risk.
Hype and reality
The large fines implemented as part of GDPR compliance may have had the opposite effect as intended, and the overwhelming hype surrounding the regulation may have made the issue less serious in the minds of those that need to pay the most attention. In fact, there is some scepticism that regulators will fine businesses as much as the rules allow them to.
There have been comparisons of GDPR to the Y2K bug, seen by some as a colossal waste of time and money. This comparison may be relevant, but probably not in the way it was meant. The millennium bug was seen as a lot of hype that led to very little effect, precisely because so much work was put into fixing the bug ahead of the deadline. The lack of a disaster was thanks to the hype, rather than despite it.
Even if this is the case, MSPs must ensure they are GDPR-compliant—regardless of whether the initial effects of the regulation match the hype. Regulators frustrated with a lack of progress could exercise the power to really make GDPR matter.
The state of readiness
Businesses will need to check if they are really prepared for GDPR, and this may include identifying what data they are processing, where their customers’ data is, whether it is legally processed, and whether it can honour a data subject request—including providing information as to what data is processed about them and whether it can be removed.
Personal data is defined by the regulation as any information relating to an identified, or identifiable, living person, and goes further than current data protection laws. There’s no definitive list of what is and what is not considered to be personal data, but it includes the obvious—such as bank details, medical records, and biometric data—to less obviously sensitive data that MSPs may collect as a matter of course, such as social media posts or IP addresses.
However, while GDPR can be viewed as a threat, it also has the potential to be an opportunity.
The GDPR opportunity
GDPR is mostly seen as a legal, rather than a technical concern. However, the lack of visibility of data means there is a need to not only understand how GDPR affects businesses, but also provide technical solutions to legally process, protect, and manage data, including finding and deleting personal data.
Many MSPs will be, under the definitions of GDPR, considered “data processors”, while their customers may be considered “data controllers”—though the division is not always clear-cut. While processors and controllers are both subject to GDPR, processors are required to process personal data in accordance with the controller’s instructions. In light of GDPR, MSPs will very likely find that their customers will want more details about what data is being processed and how it is being processed.
Part of the shift that has enabled break/fix providers to become MSPs is giving the customer not only technology, but expertise and knowledge to help their customers make the best decisions when it comes to IT. With a good understanding of GDPR and the technical solutions required for compliance, MSPs can be viewed as truly trusted partners.
There is also an opportunity for savvy MSPs that extends beyond simply reacting to their customers’ requests for assistance to be GDPR-compliant. By proactively starting the conversation with their customers, MSPs can use GDPR to have a wide-ranging discussion not on just compliance, but also on data security, risk liability, and everyday best practices when dealing with personal data. Acting as a partner rather than a vendor will make it more likely that customers will turn to you to solve other problems in the future.
MSPs may see GDPR as overhyped. But once you remove the hype, what remains is a set of data protection regulations that describe the best practices all businesses should follow. Even with smaller fines than threatened, businesses need to follow GDPR rules to meet consumer expectations and stay on the right side of the regulation.
MSPs need to ensure they are prepared—by employing IT best practices and control frameworks, having internal roadmaps in place, along with identifying the data they hold and assessing how this data is protected. These things are all key to keeping their role as a trusted advisor. Working with their customers can also help them to be far more resilient against cyberattacks and data breaches—helping increase the customer’s trust and cementing their reputation as a partner.
By Tim Brown, VP Security, SolarWinds MSP
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/