General Data Protection Regulations (GDPR) are fully enforceable and hefty financial penalties are hitting those who do not meet the requirements. Yet as a managed service provider (MSP), you may still be unaware of the full implications. Many mistakenly believe that GDPR impacts only consumer internet companies. In reality, any MSP with clients who deal with EU resident data are required to comply.
There is good news. The current atmosphere is not just one of avoiding fines, but one of opportunity. As many companies are scrambling to meet GDPR requirements, MSPs and value-added resellers (VARs) can play an important role as partners. By helping your customers navigate the soon-to-be implemented regulations, you can not only offer protection with compliance, but can work towards building long-term relationships that outpace competition.
Getting an Edge With GDPR Compliance
Meeting GDPR requirements is not merely a trifle. Data storage, erasure processes, access and availability are all strictly regulated. Given the complexity, many small and medium business will likely require external help to deal with compliance. This opens new opportunities for MSPs. Through the education of your business customers around the extent of the regulations and how they will impact business procedures to the documentation requirements, creating an overall compliance program empowers your customers to take a holistic approach to securing data.
Having a solid game plan for GDPR is not only a defensive strategy to hold onto existing customers, but also an offensive strategy to win new ones. In the years ahead, GDPR compliance will be one of the top criteria in picking a new vendor or in continuing a relationship with an existing vendor. Hence, any MSP that doesn't comply will not only fail to win new EU customers but risk losing existing customers as they scale.
How to Handle GDPR as an MSP
As a first step, you should develop a high level of awareness on GDPR’s specific requirements and how they pertain to your customers. For example, start by identifying customers who deal with any EU-related user data and understand what services are impacted by GDPR. Providing customers with resources on how to best prepare can serve both ends.
GDPR entails regulations that go beyond simply securing user data including user consent, breach notification, right to access, right to be forgotten and data portability. Digging a little deeper, a "right to access" means that EU-citizens will enjoy the ability to request access to any information companies possess relating to them, while a "right to be forgotten" allows them to request the deletion or anonymization of any data companies possess relating to them. And similarly, "data portability" requires that companies provide a copy of data for use elsewhere. These are all areas where an MSP may be involved in meeting the new requirements.
Simultaneously, you need to ensure that you can provide compliance by closely examining any regulations. For example, if you host any EU-related user data, you are likewise required to meet all GDPR requirements. Under the new law, you will be classified as "data processors" if you handle any personally identifiable information (PII) of EU citizens. While this sort of data processing had previously been covered under contracts, GDPR overrides contractual agreements and puts liability back on MSPs and other service providers.
GDPR Compliance as a Long-Term Strategy
GDPR is expected to have longevity and other countries might follow with similar regulations. Therefore now is the time to consider making long-term investments in both tools and training for your team. Instead of focusing on temporary band-aid solutions, consider migrating to a stable GDPR-compliant platform that is committed to supporting current and evolving privacy regulations.
Instead of looking at GDPR requirements as a hassle to be dealt with, the features provided with compliance can be viewed as value-adds to both your existing and potential customers.