The General Data Protection Regulation (GDPR) went into effect in May of 2018. The law governs how to handle the personal data of EU citizens and levies substantial penalties to organizations that fail to comply. It also applies to all companies regardless of where their headquarters are that control and process personally identifiable information about EU citizens.
To ensure compliance, organizations must implement the necessary security technology, policies, and procedures. This presents an opportunity for MSPs to provide the tools and practices to ensure clients achieve and maintain compliance. Read on this article for 10 Tips to help your clients comply with GDPR.
Many will need help and turn to MSPs to provide the tools and practices ensuring clients achieve and maintain compliance. Here are 10 tips for MSPs in getting clients GDPR-compliant:
Know the law: To effectively help clients achieve GDPR compliance, MSPs must know the law and understand its provisions. Unlike previous regulations, GDPR includes requirements specific to MSPs and other “data processors.” Consult with legal experts to ensure you have the right systems and procedures in place to achieve compliance, and help clients do the same.
Discuss compliance with clients: MSPs have a dual role when discussing GDPR with clients. First, you must educate them on what the law covers and their responsibilities. Second, you need to assure them you have the technology and expertise to help them achieve compliance. Make the case that clients needn’t hire an expensive security professional or compliance officer because you are equipped to handle it.
Identify the covered data: GDPR replaces regulations that varied from one EU member nation to another, so there’s bound to be some confusion about what data is covered. MSPs can help clients identify the covered data, some of which may not be immediately obvious. Personal data covered by GDPR includes information that can be used to identify an individual, including IP addresses, cookies, mobile devices IDs, and location data.
Monitor client environments: GDPR doesn’t explicitly call for monitoring, though it requires organizations to implement adequate security controls. An effective way to show controls are in place and avoid a fine should an incident occur, is to refer back to a monitoring tool’s event log. Round-the-clock security monitoring, therefore, is an essential service MSPs can offer to keep clients GDPR-compliant.
Centralize security management: Managing the security environment from a centralized dashboard goes hand in hand with monitoring. Both align with the GDPR’s requirement that organizations maintain a privacy compliance framework. Centralized controls make it easier to manage the environment, and to access and analyze log data should an MSP ever need to prove a client’s compliance.
Implement real-time alerts: GDPR mandates that organizations that suffer a security breach report it to the proper regulatory authorities within 72 hours of discovery – and to notify affected subjects “without undue delay.” Real-time alerts can make a real difference here. A security platform with real-time alerting capability allows an MSP not only to immediately initiate an attack response but also to issue the required notifications.
Conduct regular audits: MSPs need auditing and testing capabilities to assess the effectiveness of the security controls they have in place for clients and provide assurance the environment complies with relevant standards and regulations. Automating this process is the most efficient approach, which reduces manual tasks and the potential for error. Assurance testing should typically take place quarterly.
Implement reliable threat detection: It takes only minutes for data and systems to be compromised, so organizations need advanced protection against dangerous, fast-acting threats. Threat detection tools must catch and ingest data on both known and previously undiscovered threats. This requires finely honed behavior analysis capabilities and threat intelligence gathering and interpretation to quickly identify threats, initiate a response when necessary, and ensure compliance with GDPR’s stringent requirements.
Promptly respond to breaches: When a breach is detected, an MSP must spring into action without delay. Some infections can spread in the blink of an eye, so rapid threat identification and analysis is critical. As already noted, GDPR requires certain steps to be taken, including notification to affected users and regulators. MSPs cannot waste time reporting the nature of the breach, which data was compromised, which users are affected, and what measures they are taking to mitigate the attack.
Prepare an incident response plan (IRP): The best incident response is a planned response, so IRPs should be in place for MSPs and their clients. If you try to make up a plan while already responding to an incident, you’re bound to get it wrong. IRPs cover what actions to take following a breach, who is in charge of those actions, whom to contact, how to keep the business operating, and whether alternative sites will be needed. Every step in the IRP should be thought out, documented, communicated to stakeholders, and tested. Conduct periodic drills with clients to ensure everyone understands what’s expected of them.