Is a United States GDPR Coming?
The battle against public cloud vendors is raging. This battle is global in scale, most recently with the European community drawing a line in the sand regarding data handling within European member states. The passage and ongoing implementation of GDPR is already having a significant impact, both on MSPs (and their customers) within Europe and here in North America.
What MSPs in North America may be tempted to think is that GDPR is not relevant to US or Canadian MSPs and therefore, need not be discussed. This type of thinking is short sighted for the following reasons.
MSPs with European Customers
If you have a customer with any presence in Europe your managed services practice could very well be covered by GDPR. Beyond whether your MSP is covered by GDPR is the next issue concerning the nature of the data you manage on behalf of that European customer. What is most important, however, is that MSPs (both European and elsewhere) recognize that where the MSP is located does not matter. What matters is where the customer and their data is located. Those answers will largely dictate whether GDPR applies to you.
GDPR Movement is Headed to North America
While MSPs in Europe are dealing with GDPR, in the United States, the signs are everywhere that a US focused "GDPR" may soon be a reality. The attorney general for the state of Missouri has just opened up an antitrust and consumer protection investigation against Google. While many would see this as unimportant, the rationale behind the investigation has many similarities with Europe.
General concern regarding European data being handled by large public cloud vendors (like Google) was a significant reason behind the GDPR. Those same reasons have just as much validity here in the United States as they did in Europe. Now, as a user of Google products, I should point out that GDPR was not about Google, but about all public cloud vendors where massive amounts of user data is impacted. Google, Facebook, Microsoft, Twitter, and others, are all implicated in what I would classify as a general revolt concerning data privacy and security in the public cloud.
Should MSPs Be Concerned?
In short? Yes. MSPs need to be aware of these larger issues and battles, even if they appear to be far away and unconcerned with the daily operations of every day MSPs. Just as GDPR began as an attempt to safeguard consumer data in the public cloud, it is already having a real and significant impact on MSPs with European customers.
Similarly, a US focused "GDPR" legislation could have an equally real and significant impact for MSPs operating in the United States. We will have to see.
The investigation into public cloud vendors is what I will be watching. Those actions and their findings will ultimately play into whether the US ends up under our own data privacy and security regulation.