With the start date for the General Data Protection Regulation (GDPR) enforcement just around the corner, Managed Service Providers (MSPs) worried that they’ve missed the moment to position themselves as providers of services around GDPR compliance should know that this isn’t the case – in fact, the time is right.
GDPR enforcement begins 25 May 2018, but a large number of companies affected by the new regulation still aren’t yet aware of it, or as aware as they need to be to successfully comply without assistance. In the UK, 95% of companies are SMEs. These are organisations who largely do not have the robust internal IT capabilities necessary to implement the data protections that GDPR requires, and thus will need to rely on MSPs that have cultivated the correct technologies and expertise to do so. In this way, GDPR presents an opportunity to expand and strengthen business relationships with SMEs, and MSPs can capitalise on prioritising the delivery of effective GDPR-related tools and services.
Here are three steps for MSPs to take in developing their abilities to serve clients with GDPR compliance needs:
1) Acquire the subject knowledge to be a responsible MSP and differentiate as a provider.
Compliance with GDPR – and remaining on the good side of regulators – is all about reducing risk wherever possible and demonstrating that effective measures are in place. At its heart, GDPR is an effort to change the culture within companies, such that data privacy and security are treated as much more critical concerns (rightly so) in the everyday practices of conducting business.
As most MSPs are already well-aware, it’s not uncommon that an MSP understands and worries about customers’ systems more than the customers themselves do. This discrepancy is a feature for clients, who desire peace-of-mind-as-a-service, especially in the face of regulations like GDPR that carry devastating fines for non-compliance. At the same time, MSP-client relationships are based on trust, which the experience of a data breach can destroy. Serving clients as the consummate expert on GDPR can both differentiate an MSP’s offerings and help give shape to the relationship-defining trust that the MSP delivers.
Gaining this expertise means developing an understanding of Cyber Essentials, the UK government’s cyber security standard for which organisations can be assessed and certified. It also means understanding the role and activities of the Information Commissioner’s Office (ICO), the UK’s independent authority tasked with upholding information rights and individual data privacy. In this way, an MSP can obtain and execute upon the knowhow to handle data properly and mitigate risk under the law, so that clients don’t have to. This opportunity is accentuated by the fact that the ICO takes a pragmatic approach to GDPR, setting guidelines that welcome the use of the generic and infrastructural data protection solutions that MSPs are best suited to offering.
Delivering the effective data privacy protections that GDPR calls for not only bolsters the reputation of the MSP that does so, it also fulfills an MSPs’ responsibility to protect the reputation of the technology industry as a whole, as well as the personal data of individuals. For MSPs, taking the initiative to help transform the data handling practices and culture of the SMEs they serve is both an obligation and an opportunity.
2) Assemble the correct technology portfolio.
Safeguarding private data within the guidelines of GDPR requires taking a layered approach to security. GDPR grants a number of individual privacy rights, such as the right of access, right to restriction of processing, and right to data portability, which call for tremendous facility of control over data. GDPR also demands a level of data security appropriate to the risk, taking into account the costs of implementing measures and the nature, scope, context and purposes for processing data.
Encryption of personal data is an essential capability for MSPs in complying with GDPR, especially considering that in most cases the SMEs that an MSP must protect will store data on laptops and other mobile devices. Proof of encryption and the ability to remotely eliminate and/or quarantine data go a long way in demonstrating to the ICO that effective measures are in place if and when a data breach occurs and must be reported. Remember that if data on a compromised device is inaccessible and/or encrypted and unreadable, the data itself is not compromised and the event isn’t truly a data breach. For this reason on our own end, we use Beachhead’s SimplySecure as a way of controlling data encryption and remote data wiping (and quarantine) over all devices in use within an SME. Providing additional layers in our portfolio of technology solutions, we use Darktrace for cyber threat analysis, and SonicWALL to help secure SME networks, among other tools.
3) Provide consultancy to educate clients.
Teaching SMEs about the best practices they can follow in achieving strong cybersecurity hygiene is highly beneficial to both complying with GDPR and reaching the desired result of protecting data. As mentioned, an effort to change the cultural expectations and norms around data protection is a major component of GDPR, and this requires an education that MSPs can provide.
The desired cultural shift is analogous to the one that previously occurred around data backups. Years ago, it was common for enterprises to ignore the importance of backing up data; decision makers would say, “We’ve never lost data, so why should we worry?” However, that mindset has been wholly rendered a relic of the past, and there is such cultural support that backups have become standard practice. A similar shift will occur with encryption and other data protection, such that truly effective data security practices will be a part of the culture and the default way that enterprises conduct business. This shift begins in earnest with GDPR’s requirements, and the leadership of entities like MSPs that can communicate and educate on the importance and benefits of embracing strategies and tactics that get the job done.
GDPR and Cyber Essentials also require that enterprises with more than 250 employees and who process the data of 100,000+ individuals have a data protection officer, or Privacy and Compliance Man (PAC MAN), in place to oversee and hold responsibility for maintaining compliant data protections. The idea of MSPs providing this data protection officer as part of their services is an inviting one; however, we’ve discovered that this is a tricky prospect due to legal and insurance requirements that necessitate very careful language defining the MSP’s role in this scenario. Nevertheless, MSPs assisting SMEs with compliance will naturally provide guidance that clients will follow, whatever the titles they assume. Opportunities in this area may become a clearer as the practices around Cyber Essentials and GDPR enforcement mature.
Finally, some SMEs may look at their options and believe that compliance measures are beyond what they can afford. MSPs should be prepared to advise these potential clients to approach Cyber Essentials and GDPR by doing what can be done, and that simple small steps, cultural changes, and wise decisions can and will save them a lot in the long term.
Durgan Cooper is Managing Director at CETSAT, a UK-based IT service provider of performance, productivity, and protection solutions.