GDPR for MSPs: Channel partners question the law's reach

Channel firms and customers outside the EU are still figuring out what they need to do to comply with GDPR personal data regulations, despite the law's May 2018 enactment.

Facebook could face a $1.63 billion fine by a European Union privacy group under the recently enacted General Data Protection Regulation following revelations in late September that hackers compromised the accounts of more than 50 million users.

But if you think the GDPR only applies to large businesses, think again. Any company that stores personal data of EU citizens is subject to scrutiny, or else they risk significant financial penalties. Yet, while many small channel firms are asking questions about GDPR personal data, they are waiting to see if penalties will be levied on large companies like Facebook before taking measures to comply with the regulation.

Additionally, some 70% of global businesses are failing to meet requests by individuals for their personal information since the GDPR went into effect on May 25, according to recent research by Talend, a data integration software vendor.

Partners react to GDPR personal data laws

MSPAlliance, an association for cloud and managed service providers (MSPs), based in Chapel Hill, N.C., has been handling questions about GDPR for MSPs, said Charles Weaver, CEO. MSPAlliance offers GDPR Verify for Managed Service Providers, a 400-page report designed to help partner firms meet their compliance obligations. Service providers can use the report with their customers to indicate they are meeting their obligations related to GDPR personal data, he said.

Charles Weaver, CEO of MSPAllianceCharles Weaver

There has been a sharp rise in the number of partner firms that have purchased the report since the law was enacted, Weaver noted. "We're first seeing it in the bigger MSPs with multinational touch points. They're obviously very aware of this ... [but] I was shocked at the small MSPs coming to us. We're talking about 20-user MSP organizations saying, 'We need to be GDPR verified.' I wasn't expecting that, and that's where it's increasing ever since the law went into effect in May."

There is still confusion about GDPR "but slightly less panic today about the regulatory arm of the EU coming crashing down on companies just yet," he added. The potential for litigation will increase as more time goes on, he said.

U.S., Canadian and several EU-based service providers have contacted the MSPAlliance with questions about the GDPR Verify report and how they can become compliant, he said. "Most of the MSPs who have approached us are getting this report in conjunction with another report, whether it's a Soc [service organization control] 1 or Soc 2 report, and they're combining it," he said.

The heart of [our GDPR offering] is data classification: Where is your critical data? Where are you storing it, processing it and transmitting it?
Andy Barrettenterprise architect, Fishtech Group

Weaver stressed that with the GDPR it doesn't matter where the MSP is headquartered. What matters is where the customer is and where the customer's data is housed. "We have U.S. and Canadian MSPs and none of these MSPs have a presence outside the U.S., and they're still going through the GDPR process because they have customers that have [GDPR personal data] that could come into contact with the MSP. You see how quickly this could spider out."

Even if you're a small MSP doing under $10 million in revenue with under 50 employees, all it takes is one customer in the EU who deems the GDPR a significant business threat, he said. If the customer asks its MSP how they plan to handle its data so they don't have a data breach, "that triggers the escalation of the MSP going out and doing their due diligence and making sure their [cloud] vendors aren't a potential source of data leakage. It's very easy to find its way to even the smallest MSP organization."

Smaller MSPs are having conversations with their customers, he said. Weaver has also seen contracts created by MSPs that stipulate they will not accept someone as a customer unless that customer agrees they will not give the MSP any GDPR personal data. That is "their way of saying, 'I don't think you'll hamstring us by handing us [GDPR personal data] and then exposing us to a potential lawsuit,'" he said.

Most small MSPs do not have "a very good internal handle on how they manage customer data," Weaver said.  "Factor in [the end user organizations'] budgetary or other reasons for limiting the work their MSP does for them, and you have a regressive posture when it comes to managing and categorizing data," he said.

GDPR personal data chart
Review what types of information is considered 'personal data' under the GDPR.

GDPR for MSPs: Channel firms develop compliance offerings

GDPR-related work at Fishtech Group, a cybersecurity firm based in Kansas City, Mo., has been mainly educational and advisory-awareness-focused so far. Company officials have performed a number of "GDPR-enablement engagements for clients," said Andy Barrett, enterprise architect at Fishtech Group. 

Essentially, Fishtech Group's offering encompasses GDPR compliance education and awareness and determining how exactly the GDPR will affect the specific client, Barrett said. It also involves performing data discovery processes using a combination of technology and interviews to identify locations where critical data is stored, processed and transmitted, including data that is applicable to GDPR. Additionally, Fishtech helps clients develop processes, policies, procedures and standards to ensure compliance with GDPR.

"The heart of that is data classification: Where is your critical data? Where are you storing it, processing it and transmitting it?" he said.

SMBs wait to see GDPR's impact

Like Weaver, Barrett said that while small and medium-sized businesses generally don't have an international presence and are aware of the GDPR law, they are confused about whether it affects them. "They realize it's something they should address, but they don't know how," Barrett said.

A lot of organizations are waiting to see what the actual impact of the law will be and whether the large organizations that do lot of data collection will get sued if they are not GDPR-compliant, Barrett said. "We've heard from a couple of clients ... 'We'll wait and see what happens before we invest a lot of time, money and effort into compliance.' "

Fishtech Group's stance has always been that compliance should be "to the best of your ability," he noted. But for many customers, he maintained, information security is not a priority. "We have a lot of clients we work with on lots of compliance efforts, and sometimes it's more difficult with some to get them to a compliance state for a number of regulations."

Barrett expects to see more compliance activity as the GDPR matures and becomes enforced. Right now, he said, "it's kind of died off within the last couple of months, but I think it's probably going to pick up as more organizations figure out what they need to do."

Dig Deeper on Regulatory compliance for MSPs

Cloud Computing
Data Management
Business Analytics