What are the implications of the GDPR?
The General Data Protection Regulation (GDPR), effective from 25 May 2018, enhances existing data protection rules for all businesses handling personal data of EU citizens and extends responsibilities from data controllers to also cover data processors. Some of the key points of the GDPR include:
- Fines - maximum fines for non-compliance are €20 million or 4% of global annual turnover (whichever is greater)
- Data breach - the relevant data protection regulator (the ICO in the UK) must be notified of any data breaches “without undue delay” and within 72 hours if possible
- Governance - data controllers and processors must demonstrate an awareness of their data protection obligations and show they have taken steps to comply with the regulation (e.g. putting in place effective cybersecurity measures)
What is the effect of the GDPR on MSPs and their clients?
Managed service providers (MSPs) and cloud service providers (CSPs) such as Navisite are covered by the GDPR. This means that, although their clients are still responsible for ensuring compliance with data protection rules (as data controllers), MSPs and CSPs now share this responsibility (as data processors). Penalties for failing to comply with the GDPR apply to both data controllers and processors - so both parties need to take steps to avoid falling foul of the rules.
Clients should expect their MSPs and CSPs to show an awareness of the key data protection principles, demonstrate a robust control environment and offer methods of ensuring GDPR compliance - for example in areas such as cybersecurity.
What is Navisite doing to help clients with the GDPR?
One of the most important steps in GDPR compliance is to first identify all the instances and types of data held by a particular business. We help our clients to identify and classify any data they hold on their customers, employees, suppliers, and any third parties. We also provide guidance on the various controls that need to be put in place with regard to any personal information processed and we can assist with cybersecurity measures to protect the integrity of this data.
Navisite has adopted the ISO/IEC 27001 and SOC-2 framework – the internationally recognised standard for information security management – which gives our clients peace of mind that their data is in safe hands.
What is the future of data protection?
The GDPR marks a movement in favour of privacy and allowing individuals to have greater transparency and control over their personal data. The Cambridge Analytica scandal was perhaps a watershed moment in a shift away from unfettered data harvesting and monetisation by social media and internet companies. This trend looks likely to continue, with privacy campaigners such as Max Schrems gaining traction in the courtrooms and casting doubt over the validity of the Privacy Shield agreement which allows data to be moved freely between America and EU countries.
In order to stay ahead of the curve, MSPs and their clients should prioritise data protection, both in terms of cybersecurity and also by ensuring that data subjects are fully aware of how their data is being used, consent to the ways in which it used and always remain in full control of their data under the GDPR principles.