GDPR for MSPs: Channel partners question the law's reach

Partners react to GDPR personal data laws

MSPAlliance, an association for cloud and managed service providers (MSPs), based in Chapel Hill, N.C., has been handling questions about GDPR for MSPs, said Charles Weaver, CEO. MSPAlliance offers GDPR Verify for Managed Service Providers, a 400-page report designed to help partner firms meet their compliance obligations. Service providers can use the report with their customers to indicate they are meeting their obligations related to GDPR personal data, he said.

Charles Weaver

There has been a sharp rise in the number of partner firms that have purchased the report since the law was enacted, Weaver noted. "We're first seeing it in the bigger MSPs with multinational touch points. They're obviously very aware of this ... [but] I was shocked at the small MSPs coming to us. We're talking about 20-user MSP organizations saying, 'We need to be GDPR verified.' I wasn't expecting that, and that's where it's increasing ever since the law went into effect in May."

There is still confusion about GDPR "but slightly less panic today about the regulatory arm of the EU coming crashing down on companies just yet," he added. The potential for litigation will increase as more time goes on, he said.

U.S., Canadian and several EU-based service providers have contacted the MSPAlliance with questions about the GDPR Verify report and how they can become compliant, he said. "Most of the MSPs who have approached us are getting this report in conjunction with another report, whether it's a Soc [service organization control] 1 or Soc 2 report, and they're combining it," he said.

The heart of [our GDPR offering] is data classification: Where is your critical data? Where are you storing it, processing it and transmitting it?

Weaver stressed that with the GDPR it doesn't matter where the MSP is headquartered. What matters is where the customer is and where the customer's data is housed. "We have U.S. and Canadian MSPs and none of these MSPs have a presence outside the U.S., and they're still going through the GDPR process because they have customers that have [GDPR personal data] that could come into contact with the MSP. You see how quickly this could spider out."

Even if you're a small MSP doing under $10 million in revenue with under 50 employees, all it takes is one customer in the EU who deems the GDPR a significant business threat, he said. If the customer asks its MSP how they plan to handle its data so they don't have a data breach, "that triggers the escalation of the MSP going out and doing their due diligence and making sure their [cloud] vendors aren't a potential source of data leakage. It's very easy to find its way to even the smallest MSP organization."

Smaller MSPs are having conversations with their customers, he said. Weaver has also seen contracts created by MSPs that stipulate they will not accept someone as a customer unless that customer agrees they will not give the MSP any GDPR personal data. That is "their way of saying, 'I don't think you'll hamstring us by handing us [GDPR personal data] and then exposing us to a potential lawsuit,'" he said.

Most small MSPs do not have "a very good internal handle on how they manage customer data," Weaver said.  "Factor in [the end user organizations'] budgetary or other reasons for limiting the work their MSP does for them, and you have a regressive posture when it comes to managing and categorizing data," he said.

GDPR for MSPs: Channel firms develop compliance offerings

GDPR-related work at Fishtech Group, a cybersecurity firm based in Kansas City, Mo., has been mainly educational and advisory-awareness-focused so far. Company officials have performed a number of "GDPR-enablement engagements for clients," said Andy Barrett, enterprise architect at Fishtech Group. 

Essentially, Fishtech Group's offering encompasses GDPR compliance education and awareness and determining how exactly the GDPR will affect the specific client, Barrett said. It also involves performing data discovery processes using a combination of technology and interviews to identify locations where critical data is stored, processed and transmitted, including data that is applicable to GDPR. Additionally, Fishtech helps clients develop processes, policies, procedures and standards to ensure compliance with GDPR.

"The heart of that is data classification: Where is your critical data? Where are you storing it, processing it and transmitting it?" he said.

SMBs wait to see GDPR's impact

Like Weaver, Barrett said that while small and medium-sized businesses generally don't have an international presence and are aware of the GDPR law, they are confused about whether it affects them. "They realize it's something they should address, but they don't know how," Barrett said.

A lot of organizations are waiting to see what the actual impact of the law will be and whether the large organizations that do lot of data collection will get sued if they are not GDPR-compliant, Barrett said. "We've heard from a couple of clients ... 'We'll wait and see what happens before we invest a lot of time, money and effort into compliance.' "

Fishtech Group's stance has always been that compliance should be "to the best of your ability," he noted. But for many customers, he maintained, information security is not a priority. "We have a lot of clients we work with on lots of compliance efforts, and sometimes it's more difficult with some to get them to a compliance state for a number of regulations."

Barrett expects to see more compliance activity as the GDPR matures and becomes enforced. Right now, he said, "it's kind of died off within the last couple of months, but I think it's probably going to pick up as more organizations figure out what they need to do."