This content is part of the Essential Guide: MSP security essentials for every IT service provider

GDPR compliance requirements: Deadline looms for MSPs, CSPs

When the European Union's data privacy legislation goes into effect in less than six months, service providers will be working in a new world of GDPR compliance requirements.

The clock is ticking with about six months left for IT services providers to take the necessary steps to protect the personal information of European Union citizens.

That deadline stems from the General Data Protection Regulation (GDPR), a legislative act that takes effect May 25, 2018. If you're an IT provider and unsure how the GDPR compliance requirements will affect you, what you need to know is this: GDPR isn't only designed to standardize data protection for EU citizens, but will also reshape the way European companies organize and approach data privacy across the region. 

"GDPR will create a very big internal debate in the IT channel about how IT service providers can and should be delivering their services," said Charles Weaver, CEO at MSPAlliance. "Frankly that's going to be one of the best outcomes of GDPR -- the self-reflection it will force."

Charles Weaver, CEO at MSPAlliance Charles Weaver

Managed service providers (MSPs) and cloud service providers (CSPs) should also know that under GDPR they'll be classified as "data processors" if they are hosting, sorting, organizing or managing a name, a photo, an email address, bank details, posts on social networking websites, medical information or handling other personally identifiable information (PII) of EU citizens. Under the regulation not only are these companies responsible for data compliance, but they can be held liable if a data breach occurs, explained Robert Scott, managing partner at Scott & Scott LLP.

In the past, whether or not the IT services provider would be responsible for PII data has been determined by the contract between the IT services provider and the organization it has signed an agreement with. Under GDPR, however, liability for data breaches will change across the European jurisdiction.

"What's different under GDPR is that the regulations, to the extent that they can reach to the IT service provider, make the IT service provider subject to the regulation imposing legal responsibilities that would be in addition to what was previously obtained under the contract between the service provider and the customer," Scott said. "You cannot outsource your way out of the reach of GDPR."

GDPR compliance requirements: The right to erasure

Further complicating an IT services provider's engagement with EU companies is GDPR's right to erasure clause, also referred to as the right to be forgotten, which gives EU citizens the right to ask companies such as banks, retail firms and insurance companies to scrub their names and personal information from the data system.

GDPR will create a very big internal debate in the IT channel about how IT service providers can and should be delivering their services.
Charles WeaverCEO, MSPAlliance

"There are a lot of technical and legal challenges related to the right to be forgotten," Scott said. "While GDPR deals with the obligation for the right to be forgotten it doesn't dictate, for example, whether the company would have to pay the IT service provider to provide services in response to the regulation or who would bear the cost of any risk of regulatory action. All of that is subject to negotiation on a deal-by-deal basis."

Then there are the financial penalties. If a breach of personal data occurs, companies responsible for that data can be fined as much as €20 million or 4% of global turnover. How much a company will pay will be determined on a case-by- case basis. 

A consulting gig for IT services providers

Interestingly, the need to protect PII and to avoid GDPR fines is creating a variety of opportunities as IT services providers and consultants help clients prepare for the regulation.

As cloud vendors such as Microsoft Azure and Amazon's AWS continue to expand cloud operations and secure new clients in Europe, MSPs and CSPs will have to prepare their clients for GDPR, understanding their clients' data landscape and architecting solutions that incorporate GDPR governance and compliance, said Tony Connor, EMEA marketing director at Datapipe, an MSP that recently merged with Rackspace. Datapipe operates data centers in several locations, including New Jersey, California, Moscow, Amsterdam, London, Shanghai and Singapore.

Tony Connor, director of EMEA marketing, DatapipeTony Connor

"From a CSP or MSP perspective we really need to start ensuring that our clients understand the internal processes and practices that we have put in place to protect personal data," Connor said. "Most of those processes and practices really relate to information security management."

He suggested many CSPs and MSPs may already have a head start on GDPR compliance requirements. For example, those service providers that have data security and risk management certifications such as ISO 27001, SOX 302 or Payment Card Industry or those that are helping healthcare clients comply with the Health Insurance Portability and Accountability Act that governs patient data privacy and security.

Furthermore, many channel partners have implemented security software that identifies, monitors and protects data from security threats and provides operational risk management for their clients.

And as the cloud computing footprint expands across different geographic regions, global IT providers have an opportunity to emphasize their worldwide capabilities to European companies transferring PII data across different markets for different reasons, Connor said. In short, the ability to manage multiple compliance regimes is a worthwhile attribute to have.

"If you are an organization located in Europe, China is a huge market," Connor said. "And if you are looking to expand into China and you are looking at where you want to store data, how you want to transfer data and all of those complex inter-management and security issues, you probably want to look for an MSP or a CSP that has credibility and experience and facilities within those regions to help you comply with GDPR," Connor said.

One cloud vendor that's prepping channel partners to help customers with GDPR compliance requirements is Microsoft. Diana Pallais, director of Office 365 partner marketing at Microsoft, said Microsoft 365 partners can help with the implementation of a technology plan, as well as with the people and process aspect of GDPR compliance. 

Diana Pallais, director of Office 365 partner marketing at MicrosoftDiana Pallais

"Our customers will need partners to assess their own readiness, [as well as] devise and implement a plan," Pallais said. "All of this is possible only if partners mobilize to stand up a formal GDPR practice and if they themselves are compliant with the regulation."

Pallais added that Microsoft provides tools that can help partners comb through their clients' data to identify, sort and organize PII, develop classification data models and apply policies and data governance. Partners can also use the tools to offer services that monitor PII for security threats.

Establishing data protection officers

She also said partners can assist with GDPR's call for certain organizations to create a data protection officer (DPO) position.

"Since this is something that can be outsourced, partners can also offer to serve as DPO-for-hire or train and support DPOs as they are appointed," Pallais said.

Gary Southwell, vice president and general manager at CSPi, a security solutions company based in Lowell, Mass., warned that if an organization is going to outsource the DPO position to an IT services provider, the arrangement will only work if the IT provider is tasked with enforcing security and management policies across the network. The job is even more difficult under GDPR's requirement, which stipulates that organizations must report a data breach within 72 hours.

"IT providers and their clients have to sign an agreement that if the DPO position is outsourced, the IT provider will be allowed to implement policies and procedures for everything from the laptop to the applications to the servers to the data hosted in the cloud. If the IT provider is not in control of all the data, forget it. It's too much liability to handle," Southwell said.

At the MSPAlliance, executives are actively reviewing the legal risks and updating legal templates that are used by its members. The organization is also working toward a GDPR module that will be part of its certification standard and anticipates that will be launched by the end of the year.

In the meantime, Weaver advises channel partners to contact a lawyer with managed-service-specific knowledge who also has a grasp of GDPR. The lawyer can help review contracts and service-level agreements to make sure that there are some provisions that address GDPR compliance requirements. Second, MSPs, CSPs and other IT services providers should have good insurance. It's not enough to have general liability or errors and omissions, Weaver said. Services providers must have cyber liability protection and make sure the insurance policy covers a foreign data breach. Third, either get certified or make sure that you have done an internal project to thoroughly document your policies and procedures so that you can demonstrate to your customers and to their regulators that you are GDPR compliant.

"I think it's safe to say that we are at the very beginning of what will be several long years of litigation," Weaver said. "The discussion will be very pronounced about what role MSPs and other IT service providers have within GDPR and what role should they have as they test the limits of GDPR in the years to come."

Next Steps

Get Salesforce GDPR tips for customer support from Helpshift

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations