MSPs Should Charge More for GDPR Clients

For some time now, MSPAlliance has argued for a risk-based approach to pricing for managed services. This model minimizes the commodity-driven approach of user and device-based pricing, and instead focuses on the risk a client presents to the MSP as the primary calculus for pricing a managed services contract.

Today, GDPR presents a perfect opportunity for MSPs to put a risk-based pricing model into practice. Let’s see how this would work.

First, if you would like to review what we’ve said about risk-based pricing you should do so. This model can work for any sized MSP in any geographic location.

Second, any focus on GDPR clients or data will fit nicely into a risk-based pricing model. Here are the basic arguments supporting this approach:

• GDPR data must be managed in a highly structured manner. MSPs who have GDPR covered data have to know every part of the service delivery supply chain, including 3rd parties, to provide assurance as to how the data is being managed.
• GDPR clients could involve greater security requirements. Similar to any regulated industry, MSPs must approach these types of clients (and their data) differently than other non-regulated clients. A heightened approach to this type of managed service can include private or hybrid cloud hosting options, more stringent change control policies, and possibly more restrictions on the types of 3rd parties able to touch the GDPR data.
• Legal and regulatory fines. As is true with many regulated industries, MSPs managing GDPR data do face financial penalties, including regulatory fines and even private lawsuits in the event of a breach or other violation of the GDPR law.
• Certification costs. To more effectively demonstrate compliance with GDPR, it is far easier to demonstrate such compliance through certification than the “old fashioned” way of responding to each client’s information request on an ad hoc basis. Moreover, many clients will not accept “informal” information provided by the MSP; instead, opting for more formalized and independent certifications and audits.
• GDPR data costs more to manage. Add up all these points, and you have a segment of customers who need a lot of help in managing their data in a certain way. To be compliant with GDPR means extra care spent on the delivery of managed services to those clients with European data.

Anytime extraordinary measures are required in a managed services relationship there must be a different evaluation of the risks taken by the client and the MSP. Even if the MSP provides only one variety of managed service, a GDPR (or other regulated industry) client should be charged more for the additional risk involved in managing that data. Even if the client managed all their IT internally, there would still be risk involved.

MSPs need to appreciate the risks they take, particularly when dealing with clients who do not have that same appreciation. Those are often the clients who need to pay the most.