Given the rise of both Donald Trump and Theresa May, there’s never been more focus on regulations in recent memory. But the regulation that is starting to loom largest in the minds of business executives emanates from Brussels rather than Washington or London.
In a little over a year, the European Union is gearing up to implement its General Data Protection Regulation (GDPR) that requires all personal data collected by companies operating within the EU to be centrally managed under the auspices of a chief data protection officer—and regularly audited. Any security breach pertaining to any of that data must also be reported immediately.
But the GDPR doesn’t just stop there. It requires companies to gain explicit permission from individuals to use their personal data and honor all requests to be forgotten, which requires an organization to erase whatever data it may have pertaining to that individual.
Potential fines for violating any of these provisions are downright draconian. Based on the severity and number of violations, a company can be fined up to 20 million Euros or four percent of their annual revenue depending on which sum is greater.
Why businesses are worried about GDPR
A recent survey of businesses operating in Europe conducted by Osterman Research on behalf of CipherCloud, a provider of compliance monitoring tools, finds that only a little of over a quarter of respondents are confident they have the processes in place to manage data in a way that meets the requirements stipulated by the GDPR. Given the fact that those rules are set of go into effect by May of 2018, it’s little wonder that many organizations are starting to panic.
Historically, not many organizations would receive anything approaching a Good Housekeeping seal of approval when it comes to managing data. They typically have multiple copies of the same data strewn across the enterprise. To make matters worse, much of that data consists of personally identifiable information (PII) data that winds up being accessed via any number of mobile computing devices that can easily go missing. Right now, the probability that most organizations will lose control over some portion of that data for one reason or another is exceedingly high.
Opportunities and challenges for MSPs
Naturally, a large percentage of the businesses affected by GDPR are going to be looking to IT service providers to help them get their data sorted out. Budgets are going to be allocated for everything from implementing data management best practices and data encryption to setting up reporting tools and regularly conducting audits. Many of these organizations are likely to conclude that it’s both simpler and safer to rely on a managed service provider to perform these tasks on their behalf.
Of course, MSPs that take on these tasks will need to make sure they are up to the challenge. GDPR requirements go well beyond, for example, simply being able to recover data in the event it goes missing. Most of the organizations seeking external GDPR help will be looking for providers capable of delivering a comprehensive suite of data management and protection services.
The good news from IT services providers' perspective, however, is there will finally be a chief data protection officer who is mandated to have access to a dedicated budget for managing and securing data. It may take a little while before it becomes clear who that individual is inside an organization. But once identified, that individual is going to be one of the most important contacts any MSP involved in the management of data is likely to ever make.