If you've been reading this site for any length of time, you've probably seen some articles about the European Commission's ambitions to create a regulatory framework for data privacy and security. A lot is changing in Europe (and elsewhere) and these changes will impact how MSPs deliver managed services in the future.
I will attempt to summarize the European rules and provide some guidance for MSPs as to how they should proceed, both in Europe and abroad.
European GDPR
The European General Data Protection Regulation (GDPR) is a "framework" for protecting European data in the context of cloud computing or, more generically, IT outsourcing. The GDPR is a "federal" law, but it also allows for individual European member states to amplify or expand upon this framework. In short, it will be a continuously moving target of bureaucracy and regulation.
However, to summarize the regulation is somewhat easy, at least at a high level. The GDPR aims to keep as much European data within the confines of Europe, including the European cloud.
If you think this only applies to European MSPs, you're wrong
Now, for those of you not living in Europe, you may think the GDPR does not apply to you. Think again. There are two very real scenarios a non-European MSP should pay close attention to what is happening in Europe.
First, The GDPR does not only apply to European MSPs. It applies to any MSP doing business in Europe. Second, it is important to be familiar with the GDPR since it is possible other countries, including the US, Canada, and others, may take a similar approach as the Europeans. Why? Because the GDPR is one of the first major cloud computing regulatory schemes ever to be enacted. It is only natural to assume other legislative bodies may want to do the same.
GDPR - For individuals
GDPR has a significant purpose in regulating data belonging to individuals. A quick summary of the GDPR's impact on individual data is as follows:
- Easier access to data
- Right to data portability
- “Right to be forgotten”
- Data breach notification
The data breach notification is not revolutionary, since it already exists in a vast majority of the United States. While it is not yet Federalized in the USA, the overwhelming number of states in the US require organizations to notify individuals when their data has been or may have been compromised.

