MSPs: 3 Steps to Provide GDPR Services

The General Data Protection Regulation (GDPR) is now in full effect (and has been since May 25). This European Union-based regulation impacts any organization that does business with EU citizens–even businesses located outside the EU. You’ve no doubt heard buzz over the last number of months about GDPR, so you might be thinking your clients have everything under control. But, despite having two years notice to get ready for GDPR, only 18% of U.S. businesses say they are ready. So, if you’re an MSP taking care of U.S. clients, there’s an opportunity for you to help, as even U.S. businesses (that interact with anyone in the EU) need to be GDPR-compliant.

But the GDPR is a lengthy set of rules, processes, regulations, sanctions and penalties. And all you’re wondering is how to help your clients and generate revenue.

So, how do you translate rules and regulations into tangible (and beneficial) services?

There are a few things you need to do:

Step 1: Brush up on GDPR
There are a ton of resources out there (including the regulation itself) that can help you better understand what GDPR means for your customers.  There are 7 principles that form the basis of GDPR, but, in general, the following three issues are at the heart of GDPR:

1. Protect PII: GDPR broadens the definition of what constitutes personally identifiable information (PII) and puts specific data protection guidelines around how the data is to be collected, safeguarded and processed. It also defines what needs to happen should a data breach occur.

2. Provide customers with access to their data: Citizens living in the European Union have the right to request to see their data, as well as detail on how it has been handled, shared, etc.

3. Erase customer data on request: With the exception of current customers, EU citizens have the right to be removed–completely–from your client’s databases, applications, etc.

Please do keep in mind there’s much more to GDPR than just the three issues above. GDPR goes into detail about what kinds of personnel, controls, and preventative and reactive measures all need to be in place for an organization to be considered compliant. So, it’s important to have a solid understanding of what’s really involved.

Step 2: Create services around customer gaps
There are some services that fall into the “low hanging fruit” category when it comes to GDPR. The list below is by no means exhaustive, but it does serve as a means to get you thinking about how you might best serve your clients.

Data collection-If your services delve into the world of website design, GDPR has specific requirements around registration opt-ins, privacy notices, and more. While not major revenue, it does provide an opportunity to help update your clients’ websites.

Data protection-GDPR mandates that data protection be not just in place, but there by design–baked into your clients’ processing activities and business practices. The opportunity for you to provide a review of data protection and make recommendations is an easy starting point. Additional solutions and services designed to assist with GDPR can be suggested to protect from external attack (endpoint protection, DNS protection, and security awareness training are appropriate here), improper use of data by an insider (for example, user behavior analytics and user activity monitoring), encryption around data and data transfers (such as managed file transfers), and more.

Backups-GDPR has specific storage limitations, which can have an impact on retention policies and long-term storage of your clients’ data. If you’ve been thinking of getting into the backup/disaster recovery business, this is a good opportunity to make the case to your clients that you should own it.

Step 3: Educate your customers
If you don’t have a clear picture of what’s involved with GDPR, your customers certainly won’t, either. Discussing the requirements and penalties will lay the foundation for you to establish your customers’ need for additional services you provide.

The conversation should start there and then cover specific business needs.  Do they have they have their websites updated? Are security controls built into their environment and business processes? These types of questions should remain at a business level to allow customers to come to their own conclusion that they’re not ready for GDPR.

Lastly, have the conversation around the services you offer, outlining how you can assist.

Get into the GDPR Game

Just because GDPR is in effect doesn’t mean you’ve missed the boat. But the time is now to do something to help your clients with achieving compliance with GDPR. By following the three steps listed above, you should be able to build out a number of services you’re comfortable with, and begin selling them and helping clients to be GDPR-compliant.

For more information about GDPR, visit webroot.com/GDPR. To learn more about Webroot and its entire suite of security solutions, contact us.

This guest blog is part of a Channel Futures sponsorship.