Guest Column | March 14, 2019

For MSPs, Maintaining GDPR Compliance Is A Lifestyle Change

By Nick Harshbarger, SentryOne

GDPR: New Considerations And Shared Experiences For Life Sciences Companies

Have your clients expressed concern about how to comply with the latest data privacy regulations — particularly the General Data Protection Regulation (GDPR)? More to the point, are they concerned about your ability, as a Managed Service Provider (MSP), to ensure compliance with ever-increasing data privacy regulations? The complexity of navigating these new regulations represents an opportunity for you to add value for your clients by advising them on best practices and implementing optimal solutions in the data systems you manage to ensure compliance.

GDPR affects nearly every company that markets to European Union (EU) citizens. First released in April 2016, GDPR is the set of laws that govern how organizations in the EU handle personal data. Although these regulations are enforced in the EU, GDPR affects companies worldwide, and mandatory compliance has been in effect since May 25, 2018.

So how do these regulations affect you and your clients? And what tools are available to help you with compliance?

Protecting Personally Identifiable Information

The most important obligation MSPs have is the security and protection of any Personally Identifiable Information (PII) contained within their systems. The next two most important obligations are data protection by design and default, and reporting on data breaches.

Data protection by design and default sounds complicated, but it's fairly simple. It means that only the necessary data for each specific purpose can be processed. This applies to the amount of data collected, how much it’s processed and analyzed, the length of time it’s stored, and how accessible it is.

Under GDPR, companies now have only 72 hours to report a data breach. There are substantial consequences for non-compliance, and transparency is a key component. Getting your business into compliance requires cooperation, perfecting data collection and processes, and the right technology to make the changes as seamless as possible.

How To Become Compliant

A clever way to think about GDPR compliance is like the personal goal of getting your body fit: It’s a lifestyle change, not a one-time accomplishment. You can’t forget about GDPR once you’re compliant; it takes continual work to maintain. Here are some critical steps to maintain your “GDPR fitness level”:

  • First, clean up your own company data and any PII you store. PII includes all types of data that could identify a person, including, but not limited to, IP addresses, account login details, and email addresses. All of this information needs to be securely stored.
  • Designate a member of your organization as your Data Protection Officer
  • Update your company’s Privacy Policy to GDPR-compliant standards
  • Create a Subject Access Request (SAR) and a response process for clients requesting their data
  • Develop a Breach Detection and Incidence Response Protocol
  • Consider including protocols for both your IT department and corporate communications
  • Create a Records Usage Policy and the protocol to enforce it
  • Design Right to be Forgotten (TBF) protocol for both maintenance and auditing. The Right to be Forgotten rule requires that personal data be erased in certain situations, such as when an individual withdraws their consent to the use of the data.

As an MSP, you’re a data processor according to GDPR’s definitions. You might not collect customer data, but you’re processing and analyzing it. Make sure your system is always audit-ready and take steps to protect your data. Your data is ultimately your clients’ data.

Once your organization becomes compliant, consider offering GDPR assessments and remediation in your portfolio of services. Share your newfound knowledge with your clients and expand your expertise. Make sure all current and prospective clients know you’re GDPR compliant and their data is both safe and protected.

Data drives our world, and we want our data to be safe and secure. Whether you’re a channel partner in the EU or you work with EU citizens’ data, it’s imperative your company becomes GDPR compliant. Just like any other lifestyle change, finding an approach that works and sticking with it is the key to success.

About The AuthorNick Harshbarger, SentryOne

Nick Harshbarger (@nicharsh) is the Senior Vice President of Strategic Alliances and Channels for SentryOne and is responsible for leading the SentryOne Global Partner Network.