Save to My DOJO
Now that May has long come and gone, the European Union’s General Data Protection Regulation (GDPR) has come into full effect. Unless you’ve been living under a rock for the past 6 months, I’m assuming you’ve at least heard of it and may even know a bit about it (especially if you KNOW it applies to you). For those of you not familiar with it (or think you may not have to worry about it), GDPR is the replacement for the EU’s 1995 Data Protection Directive. Both mandates seek to regulate the processing of EU citizen’s personal data. GDPR seeks to largely put control over an EU citizen’s personal data into their own hands.
Because this regulation is about the personal data of an EU citizen, it’s entirely possible and probable that some of your customers – even if they reside in the United States – fall subject to GDPR. So, I wanted to take some time and discuss how this new regulation will impact the way your customers do business and, potentially, how that translates into services for you.
What’s the Big Deal With GDPR?
There are some very specific rights granted EU citizens with GDPR that may impact your customer’s business operations.
- Data Breaches – GDPR makes any personally identifiable information protected, requiring it’s processing to be handled in a way that ensures it is never misused.
- Right to Access – EU citizens have the right to access their own data, which includes detail around how it has been processed, the reasoning behind the processing, who the data has been shared with, and how the data was acquired.
- Right to Erasure – EU citizens have the right to request that their personal data be erased (providing your customers aren’t engaged in any active business with said citizen).
- Right to Data Portability – The citizen has the right to transfer any personally identifying information (PII) to another organization using a common data format.
How Does it Impact Your Customers?
So, first off, I’m not a lawyer (nor play one on TV), so this is most definitely NOT a legal advice column. But, I’m going to do my best at providing some technical guidelines on the impacts GDPR generally has – even for your smaller customers. For each of the following 3 ways, you should be seeking to both understand the impact, as well as look for ways to provide services to assist.
Impact 1 – How they collect customer data – GDPR requires affirmative consent by anyone filling out a web form. So, if your customers are still using passive opt-in forms on the web and are registering EU citizens, the website needs to change.
Impact 2 – How they process customer data – Any EU PII (Personal Identifiable Information) will be considered protected data, requiring processes be put in place to ensure the collection, usage, transfer, sharing, etc. of PII is appropriate. This also means having processes to meet the rights to access, erasure, and portability are in place.
Impact 3 – How they engage you to manage customer data – You’re already being leveraged when it comes to implementation, management, backup, and archiving of critical systems and data. So, as you add GDPR into the calculation, your customer may need to further rely on you (the MSP) to address issues like:
- Where is their customer data? In order to erase PII, they need to fully understand exactly where it resides within their environment. You can provide services around identifying which systems and applications host PII.
- Have we had a data breach? Understanding the occurrence and scope of a data breach is highly important. You have the proactive opportunity to establish user and system activity monitoring to help both identify breaches, as well as to provide a definition around what was breached.
- How do we delete a customer record entirely? The concept of deleting a record may involve multiple systems and may not be as easy as pressing a Delete
Keeping GDPR in Context
Remember, this only applies to companies that do business with EU citizens. It should also be noted that that’s a pretty big number of companies in the world already. So, the application to GDPR is likely less a concern for the very small mom & pop business (as the likelihood their single-store pizza shop will be the target of the EU government) and more for any larger entities that have multi-national customers.
And, while a two-year adjustment period has been in place (up until May 2018), I’m surprised at how many businesses are just thinking about GDPR now. Your next steps are to brush up on GDPR, develop a number of service offerings (some one-off, some on-going), and begin to help those customers subject to GDPR to be compliant with it if you have not done so already.
If you haven’t at least considered the implications of GDPR you need too. Even if you think it doesn’t apply to you, chances are you have a customer that services an EU national in some way/shape/form, and you don’t want to have your customer deal with the legal fallout from that in the event that you (The trusted IT Advisor) misses it.
For those of you that have already dealt with GDPR, what were your thoughts on the process? Was it time-consuming? Was it difficult seeing where it applied? We’d like to hear more! Let us know in the comments section below!
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!