By Michael Mittel, CEO, RapidFire Tools
The European Union’s GDPR (General Data Protection Regulation) is one of the most sweeping global IT regulations in history, set to impose penalties for non-compliance beginning May 25, 2018. Designed to protect European consumers from breaches of their personal identifying data (PID), it regulates how, and for how long, this data can be stored on an IT network.
However disruptive this may be for the global marketplace, it presents an immense opportunity for MSPs. The European Union is threatening penalties of up to €20 million, or up to 4 percent of a company’s previous fiscal year's worldwide turnover, for non-compliance.
Here are a few strategies MSPs can implement to help their business customers prepare for GDPR compliance, avoid penalties, and mitigate ongoing risk of global PID breaches.
1) Educate your business customers
Many non-European businesses have been disinclined to review the EU GDPR because they’re not even aware it applies to them. As a managed services provider, it’s your role to make your customers grasp the extent of the regulations and their impact on U.S. organizations.
If businesses in the U.S. are complacent about this new set of regulations so far, they’re doing so at their own peril. A majority of U.S. companies conduct online commerce, making it virtually impossible to restrict purchases from European consumers. And if data from a European customer or business partner is transmitted via a U.S. company’s network, that company is expected to adhere to GDPR standards.
Gather links and resources that will help educate your customers and make sure they comprehend their vulnerabilities under these new compliance regulations. An informative marketing campaign, and/or an online resource center on your web site, will go a long way to generate new dialogs with your customers—which often lead to new business projects.
2) Stress documentation through network assessments
Companies that are subject to the GDPR regulations must not just take steps to be compliant, they must prove they have taken those steps. This is true even if the organization simply outsources its data processing to a third-party processor, such as a cloud provider. Organizations must maintain concrete evidence that they are compliant. Network assessment reports can provide detailed reports and analysis on exactly what changes a company has made to comply with data protection requirements.
Effective assessment tools dedicated to compliance regulations such as HIPAA, PCI –and soon, the GDPR—can discern personally identifying information stored on an MSP’s client’s network, including driver’s license numbers, credit card data, and other personal identifiers. Through such scans, MSPs can provide evidence that their customers have taken the necessary actions to identify and secure this information. Scans can be offered as a value-add or a billable service with sufficient mark-up.
3) Create an overall compliance program for your client base
While positioning yourself as a GDPR resource, counsel customers in a holistic approach to security compliance. In addition to adequate IT security solutions, companies can implement overall policies such as regular staff testing on security procedures, training on recognition of phishing tactics, etc. A review of physical security processes is also helpful, including how data is exposed on company monitors, and whether sensitive locations where data can be accessed are properly locked or restricted from general employees.
Implementation of such measures will help demonstrate that companies have gone above and beyond to protect personal data relative to EU citizens on a long-term basis. These activities factor heavily in a company’s favor in the event of a regulatory audit. It also creates a “culture of compliance” that bodes well for long-term adherence, whether to the GDPR mandates or other regulations such as HIPAA and PCI. It’s a significant business opportunity that can be addressed in multiple ways while strengthening customer bonds.
As the gravity of GDPR begins to take hold beyond the European Union, savvy MSPs will be able to gain incremental revenues and opportunities, help their customers prepare, and support the EU’s effort to create a more globally secure technological marketplace.
Michael Mittel is CEO of RapidFire Tools, the developer of the Network Detective series of non-invasive network assessment tools, including network security and compliance modules.