The introduction of the General Data Protection Regulation (GDPR) next year will affect any organisation that handles EU customer data, whether the organisation itself is within or outside the European Union.
The new regulations, which will apply from 25 May 2018, introduce extensive changes to the way that personal data is handled, stored and protected.
For IT providers, and particularly those that offer cloud services, GDPR will bring its own set of challenges – and opportunities. Because as an IT or managed service provider, you not only have to help your customers traverse the new regulations, you must ensure your own organisation is fully compliant, too.
There has been much talk about organisations not being fully prepared for GDPR, but new research from the analysts at IDC claim cloud service providers (CSPs) may also be underestimating the impact of GDPR on their business models.
With an increasing number of channel partners – VARs, MSPs, SIs – offering cloud services, it is important they understand the extent of their liability under GDPR, as it could mean increased risk and higher costs for firms dealing with personal data.
Whereas previously it was only ‘data controllers’ who were responsible for information, under GDPR, ‘data processors’ now bear the burden of responsibility as well. This means service providers will have to ensure they are meeting GDPR standards, as they are processors of their clients’ data.
However, the definition of processing is broad and includes simply storing personal data. Similarly, personal data is also broadly defined and includes any data that relates to an identified or identifiable living human.
So as a service provider, there are questions you must be able to answer: if you are processing data in the cloud, where is that cloud based? Is it in the EU? Assuming you are encrypting data, who owns the decryption keys? By demonstrating your own readiness, you act as an example to your clients, while demonstrating that their data is protected in your care.
Solution providers should review all current supply chains and current contracts, and conduct due diligence on sub-processors. Audits of sub-processors will be important, and CSPs may also begin auditing their customers to ensure that cloud services are used in a compliant manner.
Insurance arrangements also need to be reviewed and data breach exposure protection may be necessary.
Appropriate technology solutions will be key to ensuring potential breaches are kept at bay as much as possible. IDC predicts GDPR will create a $3.5bn market opportunity for security and storage vendors – of which the channel will take their share. However, GDPR doesn’t prescribe specific data protection technologies. Instead, it proposes processes, meaning that the channel could potentially have greater freedom when it comes to vendor solutions that can satisfy those process requirements.
If you are hosting your customers’ data you must ensure you can deliver the required level of security, produce logs in the event of an incident and produce them as and when required.
However, where there is risk, there is reward. The new directive provides a fantastic opportunity for IT channel partners to become experts in GDPR, that can guide their customers through the maze of regulation.
IT trade association CompTIA advises: “Clients will be relying on their providers to help them meet regulations, which is a great opportunity to build on your relationships, all while creating new business with current and potential end users.”
There will be a growing number of businesses looking to seek advice from IT channel specialists about solutions that can prevent threats from becoming disastrous.
Service providers should consider offering GDPR compliance audits, evaluation services and penetration testing. Customers will need to be educated to ensure they are fully up-to-speed on the new regulations, which is a perfect opportunity for a solution provider to demonstrate their knowledge and provide the necessary training.
The role of trusted advisor is a valued one, and so the channel firms should use GDPR to strengthen their relationship with existing customers, and create new business with potential new customers that are currently in the dark over the new regulation.
Customer readiness support
Following on from Vuzion’s GDPR webinar 22 June, hosted by independent GDPR Implementation Consultant Pierre Westphal, Vuzion is setting up a series of workshops, assessment and clinics – to be hosted by Pierre Westphal – to help partners provide support for their customers. We’ll be posting full details on the Vuzion GDPR hub – but, in the meantime, do please contact a member of the Vuzion team to register interest, or if you’d like further information on how you can help your customers prepare for GDPR.