Why U.S.-based MSPs Should Care About Europe’s GDPR
The European Union’s General Data Protection Regulation (GDPR) clock is ticking. GDPR will be enforceable beginning May 25, 2018, and it is designed to empower citizens within the EU to control who has access to their personal data, including personally identifiable information such as a name, photo, email address, social media posts, or their computer’s IP address.
GDPR doesn’t only apply to businesses in the EU, however; businesses around the world, including your managed services clients, must comply if they provide goods and services to EU citizens.
In April 2016, European Parliament, the Council of European Union, and the European Commission enacted the new GDPR regulation, replacing the 1995 European Directive.
The regulation requires public authorities, organizations that conduct systematic monitoring, and organizations that process sensitive personal data on a large scale to appoint a chief data protection officer who must manage and audit all personal data collected about EU citizen. GDPR also establishes specific requirements for data storage and immediate notification of security breaches.
GDPR defines “data controllers” as organizations that determine the purpose and means of processing data, and “data processors” as organizations that process the data for the controller. Data processors must have explicit consent to process sensitive personal data. Additionally, the nature of the consent must be “unambiguous,” meaning the consenter must receive clear and easily understandable information and an easily accessible form prior to giving consent. EU citizens must also be provided with an easy way to rescind consent, after which all of their data will be “forgotten.”
Penalties and Risks
Penalties for not complying with GDPR can be severe and apply to both processors and controllers. The maximum fine is 4 percent of annual revenue or 20 million Euros (i.e., $22.4 million USD), whichever is greater, for serious infractions such as processing data without consent. Lower tiers of fines exist for less severe violations, such as a 2 percent fine for not having records in order or not making proper notification of a data breach. The GDPR also has provisions for compensation claims by individuals.
Simple math reveals it is a much smarter strategy to comply with rather than ignore this regulation.
The MSP’s Role
First, channel businesses themselves need to comply with this regulation. If you handle any type of personal data that pertains to EU citizens — for yourself or clients — you need to comply with GDPR to protect your business. MSPs that aren’t compliant may lose business to other companies that are prepared to appropriately handle or store data on behalf of their clients that do business in the EU.
MSPs should also be prepared to take the role of GDPR advisor to their customers. Help them understand how to comply, what the implications are if they don’t, and how the solutions you provide can help.
It’s probably not a stretch to say many of your clients could use some help managing data in general, much less identifying all data pertaining to EU citizens, tracking express consent, and meticulously handling opt-outs.
A survey of IT executives in the UK and U.S. revealed that as much as a quarter of businesses and organizations may not be able to make the deadline, which could mean there will be a high demand in the coming months for compliant solutions and support.
Begin with an evaluation of your clients’ current processes for collecting data and assist with a plan to acquire and document consent. Provide training on the solutions you offer so your clients have assurance they are using them in a manner compliant with GDPR.
Partnering with your clients to comply with this regulation will not only help them protect their business and their reputation, but also help solidify your relationship with them as a trusted solution provider. Act now to take advantage of this opportunity — GDPR enforcement will be here before you know it.