To GDPR and Beyond: 5 Factors MSPs Must Consider on May 26
When the European Union’s General Data Protection Regulation (GDPR) becomes effective on Friday, some customers will rightly be worried: While no one is certain how quickly or strictly regulators will act, the potential fines should be enough to convince any company that data privacy is now serious business. Some estimates show 60 percent of organizations are at risk of missing the GDPR deadline.
In this column, however, I want to talk about those that did get their compliance ducks in a row. What now?
Smart partners realize that new regulations create both challenges and opportunities. Privacy and data-protection compliance are not a one-time project. GDPR, like any mandate, requires constant vigilance around data use, recurring reviews of processes and ongoing impact assessments. For MSPs, here’s a five-step plan for the day after GDPR comes online.
- Get your own house in order: Like the cobbler’s children, MSPs may have been so focused on helping customers that they didn’t finish their own tasks. Sales and marketing is one privacy area that will affect almost every company, so most likely you have already updated your privacy statement and audited your database to remove any contacts that have not explicitly opted in. Going forward, make sure to add easily visible opt-in links to marketing and advertising activities, including your corporate website, campaign landing pages and other online assets. Distribute your GDPR-compliant privacy statement to current and potential clients, and use it as an opening to discuss their own compliance activities.
- Explore new products and services for a new reality: Convincing customers to fund privacy projects has always been a daunting task. The good news is that the vast majority of those affected by GDPR think that they can quantify the business value of security and use data protection to attract and retain new business. This changes the conversation from a security and IT expense to one about creating competitive advantage. Some leading opportunities include data migration caused by regulatory changes, the need for faster breach response and reporting, and addressing the widespread fear of reporting breaches.
- Help with migrating data to new locations: Nearly half of all organizations plan to migrate their data-storage locations as a result of GDPR and other political changes, and their choice is most influenced by the host country’s data-protection laws, says the McAfee Beyond GDPR research report. At the same time, less than half of those we surveyed are confident that they always know the geographic location of their data storage. Automated discovery and classification of private data is the first step toward resolving this problem. You can’t know where something is if you don’t know what it is. With broad and continuous data classification, network and endpoint data-loss prevention tools help organizations know where their private data is, where it’s going and who is using it.
- Convince companies to move faster: One of the most time-specific parts of GDPR is the requirement to communicate info about data breaches to the regulator within 72 hours. It currently takes the average organization 11 days to report a breach, according to our GDPR research. Behavioral analytics and active response tools help control movement and reduce the time it takes to spot inappropriate use, helping companies reduce the number of incidents and identify those that happen earlier. In addition, breaches of high-risk data must be communicated to each affected individual. Encryption of data at rest and in transit is an effective tool to reduce these notifications and the resulting hard and soft costs to the organization. While breaches of encrypted data still need to be reported to the regulator, if the customer encrypts sensitive data to make it “unintelligible to any person who is not authorized to access it,” they are not required to undertake individual notifications, per Article 34.
- Address the high fear of reporting: Privacy violations have a significant impact on an organization’s reputation. So much so that, to avoid the stigma associated with reporting a breach, nearly half of those surveyed would rather accept a fine than make their violations public. Starting now, the potential for stiff fines under GDPR should help change this attitude, but barring a truly dramatic action by the EU, partners might need to encourage a cultural shift within many companies. One opportunity here is to help customers with their security awareness and training activities. There are many aspects to this, including executive governance, continuous compliance monitoring, secure coding and configuration practices, and contract language with partners and service providers. If the customer already has a collaborative security and privacy culture, then auditing and enhancing security postures, developing scenario playbooks and exercising the crisis response team are valuable opportunities for an external, trusted partner to participate.
This is just the beginning. May 25, 2018, marks the beginning of a new data-privacy era. Starting on the 26th, effective data privacy shifts to an ongoing activity that requires changes to customer communications; updated contractual language; and rethinking how we all process, store, transfer and use personal data. As a result, MSPs have many opportunities to use this industry-changing event to create new areas of competitive advantage. I encourage you to use the Beyond GDPR research report to illustrate to customers where peers are in this process. Changing attitudes toward privacy, increased budgets and enhanced tools make this a golden opportunity to focus on security and privacy best practices and the value they bring to an organization.
Richard Steranka is head of global channel operations at McAfee. He leads worldwide channels at McAfee, heightening the company’s commitment to bring proactive, connected security to its partners and their mutual customers.