Security Central: Time’s Up! GDPR Is Finally Here

Well, this is it, guys and gals. Ready or not, here it comes: As of today, on the eve of a three-day weekend in the U.S., the EU’s General Data Protection Regulation (GDPR) is in full force.

GDPR compliance has been a growing source of concern in the channel for … well, for what seems like forever. The closer we inched toward May 25, the more features and initiatives OEMs pushed out for their partners freaking out about compliance.

Genesys, for example, this week released a new self-service GDPR API for its PureCloud customer engagement platform. The ambitious API aims to help partners actually over-comply with GDPR. Olivier Jouve, executive vice president of Genesys PureCloud, warns partners not to play fast and loose with these regulations.

“The data problem is very real,” Jouve told Channel Futures. “Similar technology has anonymized audience data, but not at the individual level. Marketing always had access to that. Now, we have to come at it from the other direction.”

Despite an adoption ramp-up of more than a year that the EU gave us, many MSPs stuck their heads in the sand for months, thinking that GDPR didn’t apply to them. But as partners began to understand details about the intricacies of the law, it became crystal clear to many that it’s better to be safe than sorry. Similar regulations are already in the works in other countries, and while the U.S. seems bent on deregulation right now, there’s also been a public outcry over data protection in recent weeks as the Facebook/Cambridge Analytica scandal came to light. So if we do come out with stricter regulations in this country, we’ll have one more thing to thank the Zuck for.

“At a minimum, these scandals may accelerate investigations and enforcement actions that European Data Protection Authorities (DPAs) might have otherwise implemented with more restraint,” Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, told us. “It may also prompt the U.S. Federal Trade Commission to again take a swift and more aggressive stance, pending any findings of their investigations. And since Congress has already asked for documentation of Facebook’s privacy practices over the past several years, this may also accelerate the regulation of social media platforms.”

Dana Simberkoff

Congress has already asked Facebook to fork over documentation of their less-than-ideal privacy practices, so if you don’t see the writing on the wall that heavier regulations are coming, we’re not sure what to tell you. Henry Washburn, senior competitive intelligence manager at data-protection provider Datto, told Channel Futures it’s to partners’ benefit to aim for the highest level of compliance possible.   

“I’ve read the whole, wonderful page turner that GDPR is,” said Washburn. “You don’t even know how evolved GDPR will be because it isn’t out in the world yet. It hasn’t been litigated by any means … an MSSP shouldn’t be blindsided by that.”

Henry Washburn

The main goal of GDPR is to give customers full visibility into how their data is being used. But in a multicloud world, it can be difficult for even partners to understand, much less customers. It isn’t just what many businesses think of as data that has to be protected, like account details residing in customer relationship management (CRM) software. Think of all the cloud applications your customers use, many of which you may not even know about. Dropbox, Skype, Slack, Office 365 — there are countless such services. Have your customers communicated with EU citizens on these platforms? Are you sure?

“But I don’t have customers in the EU,” you might say. “GDPR doesn’t apply to me.”

Not so fast. The regulation may not apply to you, but are you absolutely sure that your customers don’t have any data on EU citizens? Certain enough to bet your clients’ businesses?

Some small and midsize businesses (SMB) might think they don’t have the budget to up their security game all at once, and may choose to risk it. But fines associated with noncompliance with GDPR are steep: up to 4 percent of gross annual revenue, or $24 million. That kind of slap on the wrist could seriously cripple smaller businesses, leaving partners with mud on their faces and watching clients (understandably) walk away.

“If leaders of SMBs want to improve their security programs while keeping their budgets under control, the most important thing for them to understand is how data, people and location weave together to create patterns – both good and bad – across and within their organizations,” says Simberkoff. “Only by understanding your existing data can you effectively protect it.”

Luckily, these SMBs have a handy resource to turn to in their managed service provider (MSP) trusted advisers. In recent years, we’ve seen a rush of MSPs scrambling to add managed security to their portfolio, knowing that if they don’t, their competitors will. Being able to offer some sort of assurance and semblance of expertise when it comes to compliance will go a long way in the sales process.

Go to your customers with a concrete plan, not just vague warnings and promises. Engage in an in-depth data mapping process to get full clarity into what data is being held, and where. Develop strict standard operating procedures around storing customer data, because under GDPR, businesses can’t just keep customer information indefinitely without a darn good reason. Make sure everyone is clear on what the process is if one of the GDPR clauses is triggered, such as a customer exercising their “right to be forgotten.”

“GDPR is, of course, something we’re aware of,” says Nick Lenius, who owns a small MSP called Oklahoma IT Solutions. “We’re trying to wrap our heads right now around how to market around it and provide a solution to it without using buzzwords, so we can really explain it to our customers so they understand.”

Nick Lenius

There are a lot of things moving and shaking in the channel right now that are revealing the gaps between partners that are prepared for the future and those that will be left behind. Compliance is without question one of them. So GDPR may be bad news for MSPs that for whatever reason don’t want to mess with something so convoluted, but it’s great news for MSSPs that want to add a service offering for their customers that creates stickiness.

There are risks associated with GDPR, but there are opportunities too. It’s up to partners to recognize doors to new and more revenue when they open. Hint: GDPR is a big modern-day automatic door, complete with metal detectors and a snazzy doormat, maybe one of those cute ones that tell you to buzz off unless you have tacos (I really want one of those doormats).