If you’ve been reading this site for any length of time, you’ve probably seen some articles about the European Commission’s ambitions to create a regulatory framework for data privacy and security. A lot is changing in Europe (and elsewhere) and these changes will impact how MSPs deliver managed services in the future.
I will attempt to summarize the European rules and provide some guidance for MSPs as to how they should proceed, both in Europe and abroad.
European GDPR
The European General Data Protection Regulation (GDPR) is a “framework” for protecting European data in the context of cloud computing or, more generically, IT outsourcing. The GDPR is a “federal” law, but it also allows for individual European member states to amplify or expand upon this framework. In short, it will be a continuously moving target of bureaucracy and regulation.
However, to summarize the regulation is somewhat easy, at least at a high level. The GDPR aims to keep as much European data within the confines of Europe, including the European cloud.
If you think this only applies to European MSPs, you’re wrong
Now, for those of you not living in Europe, you may think the GDPR does not apply to you. Think again. There are two very real scenarios a non-European MSP should pay close attention to what is happening in Europe.
First, The GDPR does not only apply to European MSPs. It applies to any MSP doing business in Europe. Second, it is important to be familiar with the GDPR since it is possible other countries, including the US, Canada, and others, may take a similar approach as the Europeans. Why? Because the GDPR is one of the first major cloud computing regulatory schemes ever to be enacted. It is only natural to assume other legislative bodies may want to do the same.
GDPR – For individuals
GDPR has a significant purpose in regulating data belonging to individuals. A quick summary of the GDPR’s impact on individual data is as follows:
- Easier access to data
- Right to data portability
- “Right to be forgotten”
- Data breach notification
The data breach notification is not revolutionary, since it already exists in a vast majority of the United States. While it is not yet Federalized in the USA, the overwhelming number of states in the US require organizations to notify individuals when their data has been or may have been compromised.
The “right to be forgotten” and data portability elements of the GDPR may have more to do with Europe’s fight against Google and Facebook, and what impact it will have on MSPs is not yet fully known.
GDPR For Businesses
The GDPR for businesses is what MSPs need to be concerned with in the immediate future. The GDPR sets forth the following:
- Single law for all of Europe
- Single regulatory authority
- Single set of laws applying to all companies doing business in Europe, regardless of where they are based!
While the GDPR does not license or tax MSPs, it does have significant authority to fine businesses for non-compliance. Please note, I do not state here that the GDPR is a MSP specific piece of legislation; it is not. It is, however, a regulatory scheme which could very well impact MSPs with customers in Europe.
Here is a summary of what the GDPR does do to businesses, including MSPs. GDPR does
- Impose fines for non-compliance
- Force transparency amongst providers
- Bring cloud and managed services into the spotlight
- Provides template for other governments to possibly regulate
- Provide huge opportunity for MSPs to bring customers into compliance
What Next?
For MSPs, this does not mean a more difficult time in Europe. Managed services continues to grow globally (and even in Europe), even in the face of the GDPR. The overall trend in managed services, however, is becoming quite clear. MSPs need to be more transparent. European MSPs, in particular, will need to demonstrate things such as geolocation of data and geolocation of users with logical access to customer data.
The GDPR will not make it more difficult to outsource to managed service providers. It will create a very stark contrast between those MSPs capable of complying with the GDPR and those who cannot. For those MSPs with solid transparency practices and good documentation of policies and procedures, their chances of reaping the vast rewards of cloud computing and managed services are very good indeed.