On May 25th, GDPR becomes enforceable law. Even though it’s a European law, there’s a good chance it will apply to your business, too. We reached out to GDPR consultant Ale Brown of Kirke Management Consulting, to write this guest post to provide you with the information you need to know about GDPR.
The General Data Protection Regulation (GDPR) has been a topic of interest for the last year or so among organizations that collect or store personal data from residents of EU countries. The law will be enforceable beginning May 25, 2018. Here’s what you need to know right now:
- Your company probably has legal obligations under GDPR
- It does not matter where your company is located
- The penalties for non-compliance are severe
In a 2017 survey of outsourced IT service providers in the UK, 60% identified GDPR as the biggest challenge to organizational IT plans in the next 3 years. Even among European MSPs, readiness is incomplete. Among non-European MSPs, readiness for most is non-existent at this point. The time to get your MSP ready is now.
GDPR in a nutshell
The General Data Protection Regulation is the new data protection law enacted by the EU that comes into effect on May 25, 2018. The structure of GDPR is unique from other privacy laws in that it is the first data protection regulation that ensures individuals’ rights are paramount. GDPR applies to any company, anywhere, that collects or stores personal data about EU residents.
Does GDPR apply to you or your customers?
If you are a business that is not headquartered in the EU, how will you know whether you need to comply with these regulations? The answer is easy. If you fall under one of these three categories, you will have to comply:
1. If you have a physical presence in the EU
2. If you don’t have a physical presence but you offer products or services to EU residents
3. If you don’t offer products or services but you monitor EU residents’ online behavior
If you are an MSP that falls into one of these categories, you will have obligations under GDPR as a controller of data. If you do not fall into any of these categories but one or more of your customers do, you will have to comply because you will be considered a processor of data under GDPR requirements. These terms are pretty vague, so let’s unpack them a bit, to help you understand what obligations exist for each.
Controllers and processors
The difference between a controller and a processor is who has authority and makes decisions over the personal data that is being collected. If you have customers who are EU residents or companies, you are collecting and in control of that data directly. That makes you a controller under GDPR. If your clients are the ones who have customers who are EU residents or companies, but you are responsible for the storage and/or handling of that data, you are a processor under GDPR.
If you or your customers need to comply, what do you need to do now?
GDPR encourages a risk-based approach where you need to decide how to approach implementing safeguards and processes. Don’t forget that GDPR is not only about cybersecurity, but it is a framework that requires technological, legal and operational solutions to ensure compliance.
These are few of the things that you need to keep in mind:
- What kind of personal data is being collected? There are different “degrees” of sensitivity. The risk level is different if you are collecting an email address vs. collecting health data.
- Are you transferring data to a country outside of the EU? Is that country deemed adequate by the EU data protection authorities? If not, what safeguards do you have in place to ensure a satisfactory transfer and protection of personal data?
Since you are an MSP, most likely you are processing personal data on the behalf of another company. You need to review your current agreements and ensure that they have the appropriate provisions that ensure that GDPR requirements are satisfied.
- Are you transparent at explaining to individuals what data you collect from them, how you use it, and for how long? Do you require their consent? If you do, you will need to record when they give you consent and equally as important if they take that consent away. For your customers, it’s most likely, you will have to help them with this.
- Do you need a Data Protection Officer? The data protection authorities are looking to establish a relationship with organizations that process EU residents’ personal data and to have someone “on the ground” to respond to requests from data subjects. It is recommended that your MSP has a structure in place to handle requests from regulatory bodies.
How to best prepare yourself and your clients to be ready for GDPR
It’s important to discuss GDPR with your clients, in order to determine what exposure and obligations you have.
- Understand your data. Identify and justify the purposes you are collecting it for, how long you are keeping it, where it resides and how sensitive it is.
- Work on your communication to individuals. Review your privacy notice and ensure it includes the information required by GDPR, provide specific information at the time of collection, ensure that you receive and document consent where needed.
- Review your processes to respond to individual requests. Ensure you are equipped to respond to requests to access, modify, delete, take away or stop processing data within 30 days.
- Review third-party contracts. Ensure that your contracts with the organizations with which you exchange data incorporate GDPR principles into their language.
- Adopt a data protection by design culture. Ensure that reviews of data protection requirements happen up front when developing a new product or service. Perform data protection impact assessments. Create awareness in your organization of data protection principles.
- Develop a clear protocol for incident response. Be trained, and equipped with SOPs to handle privacy breaches.
- Identify your Lead Data Protection Authority. Designate a Data Protection Officer who can be the main point of contact for regulatory agencies on matters of data privacy. Ensure that your DPO is familiar with GDPR best practices.
GDPR as a business opportunity
GDPR is an ongoing obligation for both you and your clients. The reality is that outside of Europe, very few MSPs are going to be fully capable of helping their clients meet GDPR requirements. There is an opportunity to gain first-mover advantage by developing an understanding of GDPR requirements, and how to build them into your clients’ IT environments. From cookies to encryption to data protection to having the ability to scrub data on demand, there are several different things your clients will need from you in order to be compliant. The more you can offer, the bigger the opportunity you’ll have to build new client relationships and strengthen existing ones.
IT Glue and GDPR
- IT Glue acts as a data processor for its clients. We’ve mapped out everywhere your data exists and how it moves throughout our systems.
- We’ve taken a very deliberate approach to respecting our clients’ privacy. We only collect the data we need at any point to provide the promised services.
- We categorize the data we collect and receive in two ways: Personal Data and Subscriber Data.
- We only collect the minimum required Personal Data. This includes your registration information and email addresses for user provisioning. Other Personal Data, such as IP addresses, are collected in our logs for troubleshooting and audit purposes.
- Subscriber Data, the data about your customers you upload and enter into IT Glue, is yours. While we maintain it for you, you maintain its security and privacy at all times. Subscriber Data is only shared with 3rd parties if you enabled any integrations through IT Glue.
To learn more about preparing your MSP for GDPR, contact Kirke Management Consulting at https://kirke-consulting.com/
To learn how to increase your value as a trusted security advisor for your clients through GDPR and more, check out our popular SECaaS webinar.
Author: Ale Brown,
Founder and Principal Consultant, Kirke Management Consulting
With assistance from: