The General Data Protection Regulation, or GDPR, was introduced in all EU countries on 25 May 2018. One year on, there is still confusion about the obligations of the standards.
Many small enterprises outside of Europe do not realize that GDPR applies to them if they conduct business within the European Union, even though their headquarters are elsewhere. There are risks in running a non-compliant business in Europe and the worry over that threat has caused some businesses to pull out of operating within the EU.
“The negative impact of GDPR has mainly been limited to smaller companies that hesitate to launch services for EU territories because the regulation is perceived heavier and scarier than it actually is.” – Joakim Boalt, VP Messaging, Sinch.
There is no doubt that the costs of compliance create an overhead and the penalties of non-compliance can be crippling. However, the only logical way to approach the issue is to start by learning exactly what is included in GDPR. This article will give you a brief overview of the requirements contained in GDPR.
The General Data Protection Regulation
Although the GDPR document is long and daunting, the requirements for compliance boil down to four basic facts:
1. GDPR applies to all businesses collecting and storing personal data within Europe
2. Personal data must be protected from theft, loss, corruption, and inappropriate use
3. Non-EU businesses are also liable for their operations within Europe
4. There is no exemption for small businesses
As an MSP, you manage services for businesses. The term “services” covers a broad range of activities. If you supply user support that reaches out to members of the public and if your contract requires that you keep a local store or data backup of end-user information, you will need to ensure that you are GDPR-compliant. If you only deal with the employees of client companies, you might not need to worry. Data about people’s activities at work is not considered “personal.”
Complications arise over the type of data that you might need to hold on corporate members. HR information is subject to GDPR, as is any information surrounding legal cases. However, a list of users of a particular piece of software at a client company is not considered to be personal information, nor are records about Help Desk communications with those people.
GDPR for SMBs
The regulation applies to all businesses that store personal data. So, even if you are a sole trader, you could be liable. No matter where you are based, personal data stored about people in Europe is subject to GDPR – information about people based outside of the EU is not.
Many small and middle-sized businesses based outside of the EU have decided to simplify their liabilities by refusing to deal with clients in the region. In the USA, particularly, a large local market tempts SMBs to rule out operating in Europe.
“Smaller American-based organizations … have had a tougher time expanding to Europe – resulting in some of those having to withdraw from the region altogether.” – Florian Lichtwald, MD, zeotap
This strategy is a mistake for ambitious MSPs. A more profitable approach is to first check whether you need to hold personal information to carry out your business. If you don’t, you have nothing to worry about. Look at ways to avoid using personal data. For example, if you handle software support calls from the general public, store event data against a license number and eradicate the need to identify the transaction by the user’s name.
Penalties for non-compliance
If your MSP’s activities make storing data about people unavoidable, then you should be aware that non-compliance could get you fined.
In the first nine months after GDPR came into effect 206,326 cases were lodged. The biggest fine issued in the first year of enforcement was a penalty of more than $50 million dollars levied on Google.
GDPR specifies a potential fine that is equal to two percent of the company’s annual revenue. However, the Regulation is implemented as laws in each EU country and each national parliament is allowed to bump up that percentage, so you could get fined for up to four percent of your revenue.
That percentage of revenue is a maximum and not an automatic levy. The percentage is not a limit per year, but per event. So, if you repeatedly fall foul of the ruling, you could be driven to bankruptcy.
The regulation also allows individuals to bring a class action suit against your business for inappropriate use of data or failure to secure their personal information. This threat doesn’t really change your liabilities because most countries around the world already had laws over data privacy before GDPR was created. Another factor that lessens the fright over the possibility of user class action suits is that those cases would need to be brought in the home country of your business.
Where several businesses are responsible for storing and protecting personal data, all are equally liable to pay fines and compensation. This aspect of GDPR should be particularly worrying for MSPs. However, the collector of the data bears the initial hit. That company then has the right to sue collaborating businesses to recover part of that cost.
Your MSP will only be liable if it was directly in the chain of data stewardship and the information that was abused relates to private individuals.
“[Small companies] don’t have the apparatus and the team in place to actually really continuously support this kind of compliance.” – Chris DeRamus, Chief Technology Officer, DivvyCloud.
As the quote above expresses, small businesses could be overwhelmed by GDPR. However, you already have a powerful mechanism in place to control your liabilities: contracts.
Whenever you deal with a member of the public, make sure that permission to store personal data is written into the Terms of Service to which they have to agree. Permission radically reduces your exposure to legal threats.
Mutual corporate liability will be covered in the contracts that you sign with your clients. Frontline businesses need to make sure that your MSP isn’t going to abuse the personal data of their customers. You also need to ensure that the services you employ in order to fulfill each contract will not mishandle personal data.
If a data processing or storage provider that you use is in breach of data security for another client, you can use that event to nullify your contract with them without penalties.
No matter where your clients are, you probably already have to prove data governance procedures in order to win contracts – you might already be GDPR-compliant.
Becoming GDPR compliant
GDPR is meant to protect private individuals from identity theft. However, it can also be seen as a protective measure by the EU to block overseas competition to its digital services sector. On the other hand, implementing data security and governance measures will give you a competitive advantage in a market that is running scared of the standard.
“The future belongs to those brands who can be trusted to manage our personal data with integrity, security and transparency.” – Julian Saunders, CEO, Port.
Many businesses don’t know what kind of information they hold, all of the locations that it is stored, or how it is accessed and used. Addressing these issues will cover most of the work that you need to perform to get your MSP GDPR-compliant.
• Identify the locations of personal data
• Document how that data is used
• Shut down non-compliant usage
• Institute data access logging
• Create data backup and recovery strategies
• Strengthen system security
The final piece of the puzzle comes in reporting. You must be able to:
• Inform those on whom you keep data whenever your storage or usage conventions change
• Be able to demonstrate security procedures on inspection
• Extract personal data for delivery to its subject on demand
• Notify the authorities of any data security breaches or unintentional disclosures
These data security and usage tracking functions should be available in the platform that you use to support your MSP’s activities.
GDPR-compliant tools for MSPs
MSPs need RMM and PSA software to support their operations and to ensure that all facilities are all GDPR-aware.
Size should not be an issue. Atera offers cloud-based MSP support software that is charged on a subscription basis per technician. That gives freelance support agents, distributed, home-based teams, and small MSPs the same utilities used by the big corporations without large upfront software costs.
Hosted storage offered by Atera will provide the backup and recovery obligations outlined in GDPR.
Reporting and auditing enable you to demonstrate compliance.
Remotely managed support software eliminates the need to maintain your own servers and saves the cost of hiring a network administrator.
Small business and MSPs should not shy away from bidding for work in the EU just because of GDPR. Cost-saving RMM, PSA, and data recovery services level the playing field and enable small businesses anywhere in the world to compete with the market leaders, no matter what legal requirements regulators come up with.
“One year on … action remains to be taken, and a lack of initiative means companies have failed, or at the very least are yet to adopt fulsome solutions to the GDPR.” – Shawn Brown, CEO, Trunomi.
Use GDPR as a strategy to get ahead of your rivals and win new business in the lucrative European market. Embrace GDPR and watch your business grow.
This article is meant for the educational discussion of current GDPR requirements. It contains only general information about legal issues. It is not legal advice and should not be treated as such.