Three steps MSPs must take to become GDPR compliance experts
MSPs need to position themselves effectively to take advantage of the new regulations
With General Data Protection Regulation (GDPR) just around the corner, Managed Service Providers (MSPs) are worried that they’ve missed the moment to position themselves as providers of services around GDPR compliance should know that this isn’t the case – in fact, the time is right.
GDPR enforcement begins 25 May 2018, but a large number of companies affected by the new regulation are either still in the dark about it or not as aware as they need to be to successfully comply without assistance.
In the UK, 95% of companies are SMEs - organisations who largely lack the robust internal IT capabilities necessary to implement the protections that GDPR requires. They will instead need to rely on MSPs that have cultivated the correct technologies and expertise to do so, although MSPs need to effectively position themselves to take advantage of this.
1) Acquire the subject knowledge
Compliance with GDPR – and remaining on the good side of regulators – is all about reducing risk wherever possible and demonstrating that effective measures are in place. At its heart, GDPR is an effort to change the culture within companies, such that data privacy and security are treated as much more critical concerns in the everyday practices of conducting business.
As most MSPs are already well-aware, it’s not uncommon that an MSP understands and worries about customers’ systems more than the customers do themselves. This discrepancy is a feature for clients, who desire peace-of-mind-as-a-service, especially in the face of regulations like GDPR that carry devastating fines for non-compliance.
MSP-client relationships are built on trust, the basis of which can be destroyed if a data breach is discovered. Serving clients as the consummate expert on GDPR can both differentiate an MSP’s offerings and help give shape to the relationship-defining trust that the MSP delivers.
Gaining this expertise means developing an understanding of Cyber Essentials, the UK’s cyber security standard for which organisations can be assessed and certified, and the role and activities of the Information Commissioner’s Office (ICO), the UK’s independent authority tasked with upholding information rights and individual data privacy.
Channel Pro Newsletter
Stay up to date with the latest Channel industry news and analysis with our twice-weekly newsletter
In this way, an MSP can obtain and execute upon the knowhow to handle data properly and mitigate risk under the law, so that clients don’t have to. This opportunity is accentuated by the fact that the ICO takes a pragmatic approach to GDPR, setting guidelines that welcome the use of the generic and infrastructural data protection solutions that MSPs are best suited to offer.
Delivering effective data privacy protections that GDPR calls for not only bolsters the reputation of the MSP, it also fulfils its responsibility to protect the reputation of the technology industry as a whole. For MSPs, taking the initiative to help transform the data handling practices and culture of the SMEs they serve is both an obligation and an opportunity.
2) Assemble the correct technology portfolio
Safeguarding private data within the guidelines of GDPR requires a layered security approach. GDPR grants a number of individual privacy rights, such as the right of access, right to the restriction of processing, and right to data portability, which call for a tremendous facility of control over data. GDPR also demands a level of data security appropriate to the risk, taking into account the costs of implementing measures and the nature, scope, context and purposes for processing data.
Encryption of personal data is an essential capability for MSPs in complying with GDPR, especially considering that in most cases SME clients will store data on laptops and other mobile devices. Proof of encryption and the ability to remotely eliminate and/or quarantine data go a long way in demonstrating to the ICO that effective measures are in place. Remember that if data on a compromised device is inaccessible and/or encrypted, the data itself is not compromised and it shouldn’t be considered breach.
For this reason, we use Beachhead’s SimplySecure as a way of controlling data encryption and remote data wiping (and quarantine) over all devices in use within an SME. Providing additional layers in our portfolio of technology solutions, we use Darktrace for cyber threat analysis, and SonicWALL to help secure SME networks, among other tools.
3) Provide consultancy to educate clients
Teaching SMEs about the best practices they can follow in achieving strong cybersecurity hygiene is highly beneficial to both complying with GDPR and reaching the desired result of protecting data. An effort to change the cultural expectations and norms around data protection is a major component of GDPR, and this requires an education that MSPs can provide.
The desired cultural shift is analogous to the one that previously occurred around data backups. Years ago, it was common for enterprises to ignore the importance of backing up data. However, that mindset has been wholly rendered a relic of the past, and there is such cultural support that backups have become standard practice.
A similar shift will occur with encryption and other data protection, such that truly effective data security practices will be a part of the culture and the default way that enterprises conduct business. This shift begins in earnest with GDPR’s requirements, and the leadership of entities like MSPs that can communicate and educate on the importance and benefits of embracing strategies and tactics that get the job done.
Some SMEs may look at their options and believe that compliance measures are beyond what they can afford. MSPs should be prepared to advise these potential clients to approach Cyber Essentials and GDPR by doing what can be done, and that simple small steps, cultural changes, and wise decisions can and will save them a lot in the long term.
Durgan Cooper is Managing Director at CETSAT