IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Three steps MSPs must take to become GDPR compliance experts

MSPs need to position themselves effectively to take advantage of the new regulations

EU flag in front of building

With General Data Protection Regulation (GDPR) just around the corner, Managed Service Providers (MSPs) are worried that they’ve missed the moment to position themselves as providers of services around GDPR compliance should know that this isn’t the case – in fact, the time is right.

GDPR enforcement begins 25 May 2018, but a large number of companies affected by the new regulation are either still in the dark about it or not as aware as they need to be to successfully comply without assistance.

In the UK, 95% of companies are SMEs - organisations who largely lack the robust internal IT capabilities necessary to implement the protections that GDPR requires. They will instead need to rely on MSPs that have cultivated the correct technologies and expertise to do so, although MSPs need to effectively position themselves to take advantage of this.

1) Acquire the subject knowledge

Compliance with GDPR – and remaining on the good side of regulators – is all about reducing risk wherever possible and demonstrating that effective measures are in place. At its heart, GDPR is an effort to change the culture within companies, such that data privacy and security are treated as much more critical concerns in the everyday practices of conducting business.

As most MSPs are already well-aware, it’s not uncommon that an MSP understands and worries about customers’ systems more than the customers do themselves. This discrepancy is a feature for clients, who desire peace-of-mind-as-a-service, especially in the face of regulations like GDPR that carry devastating fines for non-compliance.

MSP-client relationships are built on trust, the basis of which can be destroyed if a data breach is discovered. Serving clients as the consummate expert on GDPR can both differentiate an MSP’s offerings and help give shape to the relationship-defining trust that the MSP delivers.

Gaining this expertise means developing an understanding of Cyber Essentials, the UK’s cyber security standard for which organisations can be assessed and certified, and the role and activities of the Information Commissioner’s Office (ICO), the UK’s independent authority tasked with upholding information rights and individual data privacy.

In this way, an MSP can obtain and execute upon the knowhow to handle data properly and mitigate risk under the law, so that clients don’t have to. This opportunity is accentuated by the fact that the ICO takes a pragmatic approach to GDPR, setting guidelines that welcome the use of the generic and infrastructural data protection solutions that MSPs are best suited to offer.

Delivering effective data privacy protections that GDPR calls for not only bolsters the reputation of the MSP, it also fulfils its responsibility to protect the reputation of the technology industry as a whole. For MSPs, taking the initiative to help transform the data handling practices and culture of the SMEs they serve is both an obligation and an opportunity.

2) Assemble the correct technology portfolio

Safeguarding private data within the guidelines of GDPR requires a layered security approach. GDPR grants a number of individual privacy rights, such as the right of access, right to the restriction of processing, and right to data portability, which call for a tremendous facility of control over data. GDPR also demands a level of data security appropriate to the risk, taking into account the costs of implementing measures and the nature, scope, context and purposes for processing data.

Encryption of personal data is an essential capability for MSPs in complying with GDPR, especially considering that in most cases SME clients will store data on laptops and other mobile devices. Proof of encryption and the ability to remotely eliminate and/or quarantine data go a long way in demonstrating to the ICO that effective measures are in place. Remember that if data on a compromised device is inaccessible and/or encrypted, the data itself is not compromised and it shouldn’t be considered breach.

For this reason, we use Beachhead’s SimplySecure as a way of controlling data encryption and remote data wiping (and quarantine) over all devices in use within an SME. Providing additional layers in our portfolio of technology solutions, we use Darktrace for cyber threat analysis, and SonicWALL to help secure SME networks, among other tools.

3) Provide consultancy to educate clients

Teaching SMEs about the best practices they can follow in achieving strong cybersecurity hygiene is highly beneficial to both complying with GDPR and reaching the desired result of protecting data. An effort to change the cultural expectations and norms around data protection is a major component of GDPR, and this requires an education that MSPs can provide.

The desired cultural shift is analogous to the one that previously occurred around data backups. Years ago, it was common for enterprises to ignore the importance of backing up data. However, that mindset has been wholly rendered a relic of the past, and there is such cultural support that backups have become standard practice.

A similar shift will occur with encryption and other data protection, such that truly effective data security practices will be a part of the culture and the default way that enterprises conduct business. This shift begins in earnest with GDPR’s requirements, and the leadership of entities like MSPs that can communicate and educate on the importance and benefits of embracing strategies and tactics that get the job done.

Some SMEs may look at their options and believe that compliance measures are beyond what they can afford. MSPs should be prepared to advise these potential clients to approach Cyber Essentials and GDPR by doing what can be done, and that simple small steps, cultural changes, and wise decisions can and will save them a lot in the long term.

Durgan Cooper is Managing Director at CETSAT

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Databricks announces major contributions to flagship open source projects
open source

Databricks announces major contributions to flagship open source projects

29 Jun 2022
VMWare unveils new vSphere+ and vSAN+ solutions
virtualisation

VMWare unveils new vSphere+ and vSAN+ solutions

29 Jun 2022
HPE unveils new partner programme to boost XaaS practices
channel

HPE unveils new partner programme to boost XaaS practices

28 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022