IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Three steps MSPs must take to become GDPR compliance experts

MSPs need to position themselves effectively to take advantage of the new regulations

EU flag in front of building

With General Data Protection Regulation (GDPR) just around the corner, Managed Service Providers (MSPs) are worried that they’ve missed the moment to position themselves as providers of services around GDPR compliance should know that this isn’t the case – in fact, the time is right.

GDPR enforcement begins 25 May 2018, but a large number of companies affected by the new regulation are either still in the dark about it or not as aware as they need to be to successfully comply without assistance.

In the UK, 95% of companies are SMEs - organisations who largely lack the robust internal IT capabilities necessary to implement the protections that GDPR requires. They will instead need to rely on MSPs that have cultivated the correct technologies and expertise to do so, although MSPs need to effectively position themselves to take advantage of this.

1) Acquire the subject knowledge

Compliance with GDPR – and remaining on the good side of regulators – is all about reducing risk wherever possible and demonstrating that effective measures are in place. At its heart, GDPR is an effort to change the culture within companies, such that data privacy and security are treated as much more critical concerns in the everyday practices of conducting business.

As most MSPs are already well-aware, it’s not uncommon that an MSP understands and worries about customers’ systems more than the customers do themselves. This discrepancy is a feature for clients, who desire peace-of-mind-as-a-service, especially in the face of regulations like GDPR that carry devastating fines for non-compliance.

MSP-client relationships are built on trust, the basis of which can be destroyed if a data breach is discovered. Serving clients as the consummate expert on GDPR can both differentiate an MSP’s offerings and help give shape to the relationship-defining trust that the MSP delivers.

Gaining this expertise means developing an understanding of Cyber Essentials, the UK’s cyber security standard for which organisations can be assessed and certified, and the role and activities of the Information Commissioner’s Office (ICO), the UK’s independent authority tasked with upholding information rights and individual data privacy.

In this way, an MSP can obtain and execute upon the knowhow to handle data properly and mitigate risk under the law, so that clients don’t have to. This opportunity is accentuated by the fact that the ICO takes a pragmatic approach to GDPR, setting guidelines that welcome the use of the generic and infrastructural data protection solutions that MSPs are best suited to offer.

Delivering effective data privacy protections that GDPR calls for not only bolsters the reputation of the MSP, it also fulfils its responsibility to protect the reputation of the technology industry as a whole. For MSPs, taking the initiative to help transform the data handling practices and culture of the SMEs they serve is both an obligation and an opportunity.

2) Assemble the correct technology portfolio

Safeguarding private data within the guidelines of GDPR requires a layered security approach. GDPR grants a number of individual privacy rights, such as the right of access, right to the restriction of processing, and right to data portability, which call for a tremendous facility of control over data. GDPR also demands a level of data security appropriate to the risk, taking into account the costs of implementing measures and the nature, scope, context and purposes for processing data.

Encryption of personal data is an essential capability for MSPs in complying with GDPR, especially considering that in most cases SME clients will store data on laptops and other mobile devices. Proof of encryption and the ability to remotely eliminate and/or quarantine data go a long way in demonstrating to the ICO that effective measures are in place. Remember that if data on a compromised device is inaccessible and/or encrypted, the data itself is not compromised and it shouldn’t be considered breach.

For this reason, we use Beachhead’s SimplySecure as a way of controlling data encryption and remote data wiping (and quarantine) over all devices in use within an SME. Providing additional layers in our portfolio of technology solutions, we use Darktrace for cyber threat analysis, and SonicWALL to help secure SME networks, among other tools.

3) Provide consultancy to educate clients

Teaching SMEs about the best practices they can follow in achieving strong cybersecurity hygiene is highly beneficial to both complying with GDPR and reaching the desired result of protecting data. An effort to change the cultural expectations and norms around data protection is a major component of GDPR, and this requires an education that MSPs can provide.

The desired cultural shift is analogous to the one that previously occurred around data backups. Years ago, it was common for enterprises to ignore the importance of backing up data. However, that mindset has been wholly rendered a relic of the past, and there is such cultural support that backups have become standard practice.

A similar shift will occur with encryption and other data protection, such that truly effective data security practices will be a part of the culture and the default way that enterprises conduct business. This shift begins in earnest with GDPR’s requirements, and the leadership of entities like MSPs that can communicate and educate on the importance and benefits of embracing strategies and tactics that get the job done.

Some SMEs may look at their options and believe that compliance measures are beyond what they can afford. MSPs should be prepared to advise these potential clients to approach Cyber Essentials and GDPR by doing what can be done, and that simple small steps, cultural changes, and wise decisions can and will save them a lot in the long term.

Durgan Cooper is Managing Director at CETSAT

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022
Palo Alto and Deloitte to deliver managed security services in the US
Managed service provider (MSP)

Palo Alto and Deloitte to deliver managed security services in the US

17 May 2022
US and EU thrash out plans to avert chip production “subsidy race”
Hardware

US and EU thrash out plans to avert chip production “subsidy race”

17 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022