If you're an IT services provider (MSP) located in Europe, then you're undoubtedly aware of the General Data Protection Regulation (GDPR) adopted in April of 2016 by the European Parliament. The GPDR is a set of provisions concerning the protection of transactions transpiring within EU member states involving the personal data and privacy of EU citizens. The intention of the legislation is to provide a unified standard for all 28 EU member states in order to strengthen data protection. The regulation came into effect today May 25th 2018. Like any new regulatory legislation involving stringent compliances, there is a lot of confusion, especially when it comes to MSP’s. When you break it down, there are five key questions every MSP needs answers for.
Does the GPDR apply to me?
If you are an MSP located within one of the 28 EU states, then you must follow the new regulations. However, even if you are located outside of the EU, you may be subject to this new set of compliances as well. That is because GDPR is not directed at companies; it is directed at the data and information of EU citizens. This means that any organization that stores or processes information belonging to EU citizens falls under its jurisdiction regardless of geographic location. In other words, if you or your clients do business with Europe, you most likely fall under GDPR.
Am I a Processor or a Controller?
GPDR applies to controllers and processors and each role is treated slightly different so it is important to determine what your role is. According to article 4 of the EU GDPR, the two roles defined below:
- Controller – “means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor – “means a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller”
A controller would be a bank or a retailer that collects the data of its customers. Processors would be the third party company that stores, digitizes, or catalogs that data. As an MSP, each of your clients that deal with the personal data of EU citizens needs to provide you with documented information concerning their designation as a controller or a processor. At that point, you need to determine your role as well. If your company in some way can affect the confidentiality, integrity or availability of your client’s data, then you are classified as a processor. If you are involved in the processing rules concerning that data, then you may be classified as a controller as well, which subjects you to a more rigorous set of requirements.
What type of data falls under the scope of GDPR
If you are unfamiliar with the new regulations, you should know that what GDPR defines as “personal data” is broader than its traditional definition. Personal data now includes:
- Basic information such as name, address and ID numbers
- Web data such as IP addresses and cookie data
- Health, biometric and genetic data
- Racial, ethnic and sexual orientation
- Even political opinions, religious beliefs, and union memberships
What are my responsibilities?
There is still a great deal of ambiguity concerning GDPR. Some responsibilities such as the requirement to provide a “reasonable” level of data protection concerning the data of EU citizenry is not clearly defined. One criterion is absolute, however. In the event of a data breach of one of your customers, both parties must report the breach within 72 hours to relevant authorities. A breach is defined as any loss, alteration or unauthorized access of personal data. This requires transparencies between you and your customers.
Will the GDPR Cost Me Anything?
There are no taxes or fees involved with GDPR, however, there are very stiff fines involved for non-compliancy. In order to avoid these high fines, it is imperative that you keep detailed documentation concerning your security practices as well as what steps were taken in response to a breach. How a company responds to a breach has a direct effect on the fine structure. In addition, it is certain that all organizations falling under the GDPR will have to invest in their infrastructure and staff in order to address this new set of rigorous regulations.
An Opportunity for MSP’s
MSP’s should not look at GDPR as negative initiatives that will bring with it further complexity and expense to their business. Instead, it provides a unique real opportunity to grow their business by bringing customers into GDPR compliance, as many businesses will lack the resources and knowledge to do so. As mentioned, there is a great deal of confusion out there concerning GDPR and an MSP that can provide clarity and compliance in one package, will surely have a huge advantage over their competition.
For more information on GDPR read our recently published guide. It provides in-depth information on how to get to grips with GDPR regulations now.