GDPR Compliance for Global Managed Service Providers

The General Data Protection Regulation (GDPR) was introduced on 25^th May 2018. Its purpose is to enhance the data rights of individuals and enforce several obligations upon institutions that manage and process data. GDPR compliance has a wide-reaching scope which is likely to affect many businesses throughout the world.

The GDPR scope includes all European Union (EU) organizations that collect, store or process personal data of any person residing within the EU (no matter of their nationality), as well as any non-EU organizations that offer goods and services to European residents or non-EU organizations that process personally identifiable information.

If any organization is found in breach of GDPR, they can be fined up to €20 million or 4% of their global annual revenue. The EU has already started to fine organizations in breach of GDPR compliance; heavyweights such as Google facing fines (a €44 million fine in Google’s case), with Amazon, Apple, Netflix and Spotify also at risk of data protection fines.

The European Union expects managed service providers (MSPs) throughout the world to become compliant with GDPR legislation. An overwhelming majority of MSPs process personally identifiable information for European clients or European customers.  Often the MSP may be unaware of what data is being processed, as it previously was the data owner’s responsibility to follow data protection rules. As MSPs are categorized as data processors, the technical services offered to end-clients become in scope of GDPR – essentially, GDPR demands that MSPs are aware of the type of data being processed.

For example, consider an MSP who provides infrastructure-as-a-service for a client and their HR department using file servers to process prospective employee job applications; these contain personally identifiable information. As this data is hosted on the MSP’s storage infrastructure, the MSP and client have a shared responsibility for GDPR compliance.

Under GDPR guidelines, MSPs have a duty to protect data in a manner that ensures the security of all personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss and damage. Administrative, physical and technical safeguards must be put in place, as EU law places equal liability on data controllers and data processors. This requires a shared responsibility model between all parties.

The type of data in scope of GDPR is any personal identifiable information which might include:

• Personal biographical information – such as name, address and social security numbers, date of birth, phone number and email addresses, as well as details of a person’s appearance such as weight, eye color or other characteristics
• Financial information – such as salary, tax codes or student loan information
• Web data – such as IP address, cookie retention data
• Health, biometric or genetics data – such as medical history, long term sickness information, health insurance claims
• Private Information – such as sexual orientation, political opinions, religious beliefs or union membership. This can also include geo-tracking information such as Fitbit or Google Maps trackers.

(Source: https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data)

The details above only scratch the surface of the data types that are in scope of GDPR. In truth, the amount of data that is likely to be subject to GDPR compliance is extensive and can include almost any software, data, text, audio or video content. This approach can pressure data processors and data handlers within the managed services division to ensure that data is handled correctly. To add further complexity, the data must be provided by clientele who have explicitly opted in to having their personal data processed.

Once permission has been given to the data provider, the Managed Service Provider is responsible for ensuring that they are in adherence of article 5 of GDPR, which states that personal data shall be:

• Processed lawfully, fairly and transparently
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)
• Data, once processed, must be lawfully destroyed at the agreed time

(Source: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.html)

The Article 5 classifications on data processing result in MSPs having to ensure that the software and services they provide, including any cloud software, is GDPR compliant as well. This brings into scope items such as virtualization software, hardware providers, and network layers all verified by the MSP as compliant. If an MSP leverages a private, public or hybrid cloud model, it must be built upon a secure architect within the guidelines of GDPR.

It is critical for MSPs to keep accurate records on backup and data archiving for all data in scope of GDPR. MSPs must be able to quickly identify end-user data, provide records of the data (such as backup logs), and, if required, delete or recover the data. This is all in relation to the GDPR’s recognized right for individuals to request copies of data being held on them.

GDPR also places ownership on MSPs to create security policies and procedures in place to ensure that all in-scope data is protected. Technical safeguards may vary, but typically include pseudonymization and data encryption at rest and in transit, stringent password policies, and rules on retention of data which ensure ongoing integrity and availability of data.

MSPs also have a responsibility to ensure all the physical building infrastructure is secure and enforce polices such as access control lists, surveillance monitoring, physical asset protection and deadlocks, or even 24×7 on-site security personnel.

Cloud providers are increasingly offering GDPR compliant business services, such as access and identity controls (IAM), secured Active Directory services, data key management services (KMS), and SAML data federation services when pushing and pulling data publicly or privately.

Another key element of GDPR is the requirement placed upon data processing MSPs in the event of a data breach. MSPs must be able to prove when a breach occurred and identify exactly what information was accessed or changed. MSPs must also notify the appropriate data protection authorities and even the persons affected by the breach. Most importantly, a breach must be confirmed within 72 hours of discovery.

MSPs often implement technical solutions to ensure compliance; anti-virus services such as Trend Micro feature a tool called remote wipe. As an example, if a laptop containing in-scope data has been lost or stolen, the device can be wiped to protect the data and mitigate the risk of data breach. Other tools such as threat analysis software, which monitors unauthorized third party access to IT systems, and networking firewalls can also be deployed. Detailed monitoring and logging activity of services is also essential.

To conclude, GDPR is still a very new EU legislation which affects organizations throughout the globe, and so many organizations are still struggling to gain GDPR compliance due to the significantly complex and still-developing rulings under the new law. Furthermore, the rights of the persons to view, edit and delete their personal data deepens this complexity. Most MSP’s will be required to update their data handling processes and procedures and agree to a shared responsibility model with the data handlers. Eventually, EU will start enforcing GDPR penalties more regularly to ensure that GDPR is at the forefront of all global businesses’ agendas.