GDPR for Managed Service Providers—A Lifestyle Change
Have your clients expressed concern about how to comply with the latest data privacy regulations—particularly the General Data Protection Regulation (GDPR)? More to the point, are they concerned about your ability, as a Managed Service Provider (MSP), to ensure compliance with ever-increasing data privacy regulations? The complexity of navigating these new regulations represents an opportunity for you to add value for your clients by advising them on best practices and implementing optimal solutions in the data systems you manage to ensure compliance.
GDPR affects nearly every company that markets to European Union (EU) citizens. First released in April 2016, GDPR is the set of laws that govern how organizations in the EU handle personal data. Despite regulations enforced in the EU, the GDPR affects companies worldwide, and mandatory compliance has been in effect since May 25, 2018.
So how do these regulations affect you and your clients? And what tools are available to help you with compliance?
What Does GDPR Mean for MSPs?
The most important obligation MSPs have is the security and protection of any Personally Identifiable Information (PII) contained within their systems. The next two most important obligations are data protection by design and default and reporting on data breaches.
Data protection by design and default sounds complicated, but it's fairly simple. It means that only the necessary data for each specific purpose can be processed. This applies to the amount of data collected, how much it’s processed and analyzed, the length of time it’s stored, and how accessible it is.
Under GDPR, companies now have only 72 hours to report a data breach. There are substantial consequences for non-compliance, and transparency is a key component. Getting your MSP into compliance requires cooperation, perfecting data collection and processes, and the right technology to make the changes as seamless as possible.
A clever way to think about GDPR compliance is like the personal goal of getting your body fit: It’s a lifestyle change, not a one-time accomplishment. You can’t forget about GDPR once you’re compliant; it takes continual work to maintain.
First, clean up your own company and any PII you store.
- Designate a member of your organization as your Data Protection Officer
- Create a Subject Access Request (SAR) and a response process for clients requesting their data
- Develop a Breach Detection and Incidence Response Protocol
- Consider including protocols for both your IT department and corporate communications
- Create a Records Usage Policy and the protocol to enforce it
- Design Right to be Forgotten (TBF) protocol for both maintenance and auditing
As an MSP, you’re a data processor according to GDPR’s definitions. You might not collect customer data, but you’re processing and analyzing it. Make sure your system is always audit-ready and take steps to protect your data. Your data is ultimately your clients’ data.
SentryOne Tools for GDPR Compliance
SentryOne offers two tools to help you and your clients become GDPR compliant.
LegiTest provides automated data testing. With LegiTest, you can test your new “Right to be Forgotten” protocols and have confidence in the results. You can create and execute tests with validated results from development through production. You can also develop and test scenarios before applying them to the entire system.
DOC xPress creates complete documentation for SQL Server databases. It also allows for the editing of metadata within the system. You can tag PII in your organization and track its lineage with DOC xPress to ensure you’re audit-ready.
Once your organization becomes compliant, consider offering GDPR Assessments and Remediation in your portfolio of services. Share your newfound knowledge with your clients and expand your expertise. Make sure all current and prospective clients know you’re GDPR compliant and their data is both safe and protected.
Data drives our world, and we want our data to be safe and secure. Whether you’re a SentryOne Partner in the EU or you work with EU citizens’ data, it’s imperative your company becomes GDPR compliant. Contact your SentryOne Partner account representative today to learn more about how SentryOne can help your business readiness.
Nick (@nicharsh) is the Senior Vice President of Strategic Alliances and Channels for SentryOne and is responsible for leading the SentryOne Global Partner Network. Prior to joining SentryOne, Nick was Vice President of National & Strategic Accounts for Dictaphone - Healthcare Division. Previous experience includes sales management positions with Computer Associates, NEC Computer USA, Tegra Varityper, and Heath/Zenith Computer Systems. Nick holds a BA degree in Economics from University of Dayton in Dayton, OH.