MSPs have been maturing, and because of this, players in the field have had to evolve — especially with regard to data management and security. While the EU’s general data protection regulation (GDPR) will give privacy rights back to EU citizens (that’s the legislation’s goal, at least), it’ll also create a lot of challenges for MSPs with clients across the Atlantic Ocean. Understanding what GDPR is, how it’ll impact clients and what needs to be completed ahead of time will aid MSPs with overcoming top GDPR obstacles.
First, it's important for MSPs to understand how GDPR impacts them. Basically, GDPR grants individuals (specifically, EU citizens) the right to determine how their personally identifiable information (PII) is used by businesses based anywhere. Once GDPR goes into effect (on May 25, 2018), businesses everywhere will be required to unambiguously state to their users how all PII will be used and obtain consent prior to using user PII.
PII? What's That?
Put simply, PII is any data that can be used to uniquely identify a specific individual. PII examples include names, email addresses, phone numbers, mailing addresses and social security numbers. IP addresses, social media posts and transaction histories could also fall under GDPR’s definition of PII. To be honest, GDPR’s definition of PII is pretty broad.
What If I'm Not Based In The EU?
GDPR isn't something that will only affect MSPs in the EU. You'll be impacted in some way or another if your clients do business with anyone within the EU. If an MSP or its clients collect, process or store PII of an EU citizen, then steps will need to be taken to ensure compliance with the law. Being in a country outside the EU doesn't protect you.
I'm A Little Late To The Game, So What Should I Do?
Hopefully, you've been monitoring GDPR over the past couple of years. If you haven't, well, there are a couple of items you should address immediately. Don’t wait any longer.
First, determine if you have any potential exposures as a data processor or data controller as defined by GDPR. Consider this: If you have clients or staff in the EU, then you probably have exposure to GDPR. (As far as addressing the exposure, I recommend consulting with legal counsel.) You don’t want to end up on the wrong side of the law.
Next, using the same methodology above, determine if clients have potential exposure to GDPR. Again, if any potential exposures arise, have your clients consult legal counsel.
What’s the good news? GDPR is going to enable us to raise the conversation with clients about how they store, manage and comply with regulations. Like it or not, more regulation is coming to IT, and we need to educate our clients on potential exposures.