GDPR Protection: Better to be Safe than Sorry
So far this year alone, about 80 companies have been assessed hefty fines—one as high as $201 million—for violating the requirements of the European Union’s General Data Protection Regulation (GDPR) Act. While most were cited for “insufficient technical and organizational measures to ensure information security, others were cited for not complying with general data processing principals or having an insufficient legal basis for data processing.
The GDPR, which the European Parliament began enforcing in May of 2018, requires significant changes for organizations that monitor or process an EU citizen’s personal data. This includes basic identity information, web data, health and genetic data, racial or ethnic data, political opinions, biometric data, and sexual orientation.
If you think your company is safe because most of your clients don’t have offices in Europe, or because your business is relatively small, think again. While it’s technically possible that your company is safe, it’s better not to take a chance. According to the GDPR, your company is affected if it has any European clients or even a presence in an EU country.
In addition, you are liable if your company performs any operation or set of operations on the personal data of an EU data subject, or provides any services in the European Union, such as monitoring data. The GDPR classifies organizations that retain, hold or use data as either “controllers” or “processors”. Controllers gather the information, while processors use or manipulate the data. MSPs generally are considered processors.
Processing the data of an EU citizen is considered a fundamental right, according to the GDPR. That means the data subject has a right to know what is being processed – the who, what, when, why, where, and how. They also have the right to request that their data not be processed. GDPR is considered a data protection legislation, but it also concerns privacy protection, because it mandates that the controller and processor must maintain appropriate technical and organizational measures to protect and secure the data.
Protecting your interests (and your wallet)
Ensuring that your company is protected from GDPR-related fines (typically between 10M and 20M Euro and between two and four percent worldwide turnover) means taking some definitive steps toward organization, security and renegotiation of agreements to include specific data processing language to meet GDPR compliance.
Get organized. This means developing a complete set of policies, procedures and technologies that demonstrate where your data is at all times and how you are protecting that data. Knowing where your data is at all times requires mapping the location of data in your systems and how it travels to other locations. Fully protecting data means ensuring that it is encrypted both in motion and at rest, that firewalls are in place, and that you employ whatever other means necessary to keep data secure.
Taking these steps can be complicated and time-consuming, but MSPs don’t have to go it alone. For MSPs with knowledgeable IT staffs, starting with ISO protocols is a good bet. Another great resource is the MSP Alliance, which offers GDPR Verify, which helps members become GDPR compliant and issues a certification report confirming an organization’s GDPR compliance. Seeking the help of knowledgeable legal counsel who have experience with GDPR compliance is also a must.
Have a strong Data Processing Agreement (DPA). To comply with the GDPR, signing an addendum to an existing agreement won’t do. Article 28 of the GDPR requires a separate data processing agreement. While the list is long, topics that must be addressed include:
- The subject matter, duration, nature and purpose of the processing
- The obligations and rights of the Controller
- The type of personal data and categories of the data subject
- How Processors and Controllers should work together
- What can happen if Processors fail to meet their obligations
- Actions that must be taken during a breach notification
- Processor or Controller must maintain appropriate levels of insurance
- Processors can’t transfer any personal data without prior consent of Controller
- Processors can’t engage in sub-processing without the Controller’s permission
Having a strong DPA would be a good idea even if it were not required by the GDPR. While it isn’t really a protection mechanism, it is an important way to demonstrate regulatory compliance to authorities who have the right to audit the MSP at any time and request access to all processing documentation and facilities. Having a DPA in place shows documentary evidence of compliance.
Consider renegotiating your Master Agreement. A master agreement details the obligations of both parties regarding the monitoring and management of data. However, since GDPR is relatively new, many master agreements may not outline what could happen during a data breach. That’s a good reason to renegotiate your master agreements to include details of data protection, breach notification and counterparty cooperation. Other items that might require renegotiation include:
Risk balancing is the primary area that may require renegotiation. More specifically, consider renegotiating:
- Warranties on how the service will perform. It is important to include a warranty regarding data privacy and protection related to compliance with laws.
- Limitation (caps) on liability. When the likelihood of a data breach or a security incident is higher, the parties will often try to renegotiate the cap in the Limitation of Liability. The Limitation of Liability is the most heavily negotiated provision in the agreement, because both parties have conflicting interests when capping their damages.
- Indemnification (how the parties will deal with third party claims, especially related to data breaches or theft of confidential information)
- Data security/data breach notification and response. This provision concerns how the parties will deal with an incident during and after an incident occurs, such as reporting a breach to the company and notifying authorities, and cooperating after a breach.
Other actions to consider
MSPs also can help protect themselves against GDPR infractions by staying on top of cybersecurity threats and technologies. This is increasingly critical, as both threats and technologies to fight those threats continue to evolve.
If your data processing activities involve systematic monitoring or processing of sensitive personal data on a large scale, consider appointing a Data Protection Officer or hiring an outside consultant to assume the responsibilities. Hiring an attorney with expertise as a DPO creates attorney-client privilege, where the exchange of information is considered privileged and confidential.
Finally, if you don’t have professional liability insurance that includes different levels of security and breach notification requirements, it’s time to get that insurance.
The bottom line is this: Even if you don’t think your company falls under GDPR regulations today, it’s much better to err on the side of caution, because similar regulatory compliance obligations under GDPR are now found in California’s Consumer Privacy Act (CCPA). The California Consumer Privacy Act (CCPA), is a digital privacy law that becomes effective in January 1, 2020. While it isn’t as broad as GDPR, it does apply to most businesses that collect consumers’ personal data and do business in California. Many MSPs will be subject to the law under the CCPA’s definition of a “service provider” if they do business in California. As such, MSPs will have to prepare for CCPA in much of the same ways GDPR required “processors” to comply. Fines for noncompliance can be as much as $7,500 per record for each intentional violation, and $2,500 per record for each unintentional violation. And it’s only a matter of time before more states pass similar laws. So, if you are an MSP who is either doing business in the EU or California, or have customers that have clients in the EU or California, you need to start thinking about seeking legal help from knowledgeable data privacy lawyers to become compliant.