26 Nov GDPR Update: How MSPs are Dealing with the New Regulations
With nearly 18 months of living in a GDPR world under our belts, we now have a little clearer picture of what it all means.
To recap, the EU General Data Protection Regulation went into effect in May 2018 and mandated that any company doing business with any entity or individual in the EU needed to follow strict rules about protecting individual data, including opt-ins, opt-outs and deletion upon request.
Real enforcement and real fines
GDPR is definitely a stick-based compliance scheme, with hefty fines in the offing for firms that violate the regulations, and no actual rewards for compliance (other than avoiding those previously mentioned fines). And those fines have already begun being levied, punishing companies that suffered data breaches exposing personal data such as emails and passwords, granting employees unauthorized account access, and even using an unmarked security camera in a location where it captured footage from a public sidewalk.
Google had to ante up $57 million for multiple infractions, making it clear that even if the company headquarters and decision-making doesn’t happen in the EU, companies are still liable. And British Airways and Marriott racking up fines of $230 million and $123 million respectively for data breaches should be scaring the pants off businesses not in compliance.
And yet, it’s still the early days for GDPR enforcement. After the initial rush to comply and related costs and headaches, some companies may be frustrated that fines and penalties appear to be few and far between. For companies that delayed compliance, they may feel like they can keep stalling since there’s been very little action taken toward smaller outfits.
A Forrester survey earlier this year showed the majority of companies are still far from compliant, having skipped key steps including vetting third-party vendors and dedicated personnel and budget to the effort. Some simply haven’t gotten around to it yet while others are actively flaunting the regulatory requirements, with many believing GDPR doesn’t apply to their situation.
But this is a dangerous game to play, as there’s nothing stopping EU regulators from coming after these firms if and when a violation occurs. As they become more comfortable with enforcement and this imaginary grace period grows longer, companies may be taken by surprise when they’re targeted for breaking the rules.
Combating this complacency is both a hurdle and an opening for MSPs. If they can convince customers that despite its slow start GDPR enforcement is coming (and growing), they can offer compliance services to the holdouts as well.
MSPs that haven’t been living in a bubble were well aware GDPR was imminent and would impact their client base. Getting into compliance represented a significant challenge for customers.
For many MSP clients and prospects, this is still the case. GDPR compliance simply hasn’t experienced the adoption many expected, so MSPs must continue the fight, educating companies and convincing them to invest in compliance now to avoid future penalties and irreparably damaging their reputations.
“With recent fines and penalties in 2019 and people reading more about it in the press, there’ll be more activity happening, both on the prosecution side and the response side from companies that are affected by GDPR,” says RapidFire Tools founder and CEO Michael Mittel. “We saw that happen with HIPAA in the United States. The final regulation was written into law in 2013 and it took a while for folks to realize the impact and importance. When they did, it snowballed. The same thing will happen here with GDPR.”
MSPs also have some fresh ammunition to help them win the battle and convince companies to get onboard with compliance. Following the lead of GDPR, U.S. states are getting into the privacy protection game. California’s CCPA and the Washington State Privacy Act are bringing compliance closer to home and the federal government may eventually create standards of their own. Even if companies aren’t doing business in Europe, these closer-to-home developments could shake them out of their complacency.
Moving the needle
With the early adopters already in compliance, new opportunities will require more aggressive sales tactics, which may mean MSPs must interact with prospects and clients in new ways. One side effect of GDPR is that security is no longer only a concern for the IT department – it’s now a problem for the management team and board of directors as well.
A breach now isn’t just a PR problem, it’s a massive hit to the company’s bottom line and a potential death sentence for a smaller firm. Companies simply can’t take chances with this stuff, yet they are.
MSPs must get in front of the right personnel to create the awareness and urgency to jumpstart compliance at foot-dragging firms. And they can also use the same tactics to goose those clients that have been slow to complete their compliance activities.
With all of the above in mind, MSPs have their work cut out for them. But the payoff should be increased MRR, stronger customer relationships and a more diverse portfolio. To cash in on GDPR compliance, MSPs must do the following:
- Get their own house in order – Compliance starts at home in this case, and MSPs should be sure their shop is up to snuff to protect themselves and “eat their own dogfood.”
- Educate and evangelize – Until there’s a problem, GDPR isn’t going to be a top concern for clients and prospects. MSPs must continue to beat the drum and convince them that the risks of non-compliance aren’t worth whatever money or effort they’re saving.
- Make it easy to comply – MSPs exist to make their customers’ lives easier and GDPR compliance is no exception to that rule. Provide turnkey solutions and consulting services that shepherd companies into compliance as painlessly as possible. As a non-revenue generating initiative, companies won’t want to dedicate the best and brightest to the cause.
RapidFire Tools can help MSPs get their customers over the GDPR goal line with Compliance Manager for GDPR. Use this tool to generate required reporting and scan customer networks for potential problem areas. Learn more with a demo or sign up for a no-risk 30-day trial today.