“The knowledge, processes, procedures and products needed to achieve [GDPR] compliance are a potential jewel in the hands of those who acquire them.” 
But how can you embrace this opportunity?
The General Data Protection Regulation (GDPR), which will be enforced from 25th May 2018, is being widely depicted as a financial and reputational cloud hanging over the heads of those businesses that don’t achieve compliance.
But alongside the scaremongering is a more positive side to GDPR as a potential opportunity for MSPs to use the experience gained in their own GDPR journey to help their customers to achieve compliance – and so enhance their role as trusted advisers in the process.
If you are still struggling with compliance for your own business (and many of us are!) this may seem like a bridge too far. But if you, an IT services provider, are finding GDPR onerous – just think how many of your SMB customers, could benefit from a helping hand.
Provided your own GDPR house is in order, of course.
Why it’s important
As an MSP, you need to be GDPR compliant if you handle any personal data pertaining to EU citizens for your own business or on behalf of your customers. You must protect your own business from the increased financial, legal and reputational consequences of any breaches post-May 2018, while also reassuring customers that you offer a safe, GDPR-compliant pair of hands for any of their data that you manage.
GDPR compliance is increasingly being included in ITTs and RFPs, so if you can’t tick that box, you also risk losing out on new business to those MSPs who can.
The problem is that while GDPR is clear about what must be achieved in terms of data protection, it doesn’t prescribe exactly how this should be accomplished. Technology can help, but doesn’t offer a ‘silver bullet’.
GDPR is largely about processes, procedures and policies. As an MSP this is what you’re good at.
Therefore, if you have completed your own GDPR journey, you will have gained valuable knowledge and insight from which your customers could benefit. You may not be able to provide all of the expertise required (and you must be clear what you can and can’t do), but you can potentially point them towards companies or solutions that would fill the gaps. Importantly, you need to be able to monetise those elements that you can provide.
If you are well on the way to GDPR compliance and feel confident that you could help others, here are six suggestions for getting the GDPR conversation started.
- Promoting your GDPR experience
- Starting the conversation with your customers: educate and engage
The experiences you have gone through to ensure your own GDPR compliance will be of great interest to customers and prospects following behind. So let customers know that you are proactively working on GDPR and mark GDPR milestones in social media, blogs and on your website to send out a ‘been there, done it’ message to your audiences.
Once you have achieved compliance, you can use it as a quality standard ‘kite mark’ on your website and marketing materials to attract and reassure prospects and customers.
For many businesses affected by GDPR you, their MSP, are likely to be the first port of call for help, whether this is to implement data management best practices, work on data encryption or set up reporting tools and conduct audits. It makes sense – you are already trusted as a service provider.
Be proactive. Your customers may not appreciate the full implications of what needs to be done, so sound out their understanding of their legal obligations – and how they plan to translate these into real-life actions. This will help you to identify gaps – and also any areas where you could help.
As part of this, ask about progress in some of the more problematical GDPR areas, for example:
- Have they conducted data audits across departments to identify all EU personal data?
- Can they meet requirements for encrypting and protecting this data?
- Do they have a transparent process in place for gaining explicit consent to use individuals’ data?
- Can they manage the strengthened rights of individuals, particularly the right to be forgotten, across all systems and backups?
- Do they have policies/procedures in place for the ‘anonymisation/de-identification’ of personal data?
- Are they working with any operational partners that access personal data on their behalf? Anything from Cloud providers to third-party marketing agencies.
- Would they be able to notify authorities and any affected individuals within 72 hours of a data breach occurring?
GDPR requirements are so broad that an end-to-end solution is unlikely to be available from a single supplier. Most businesses will have to fill gaps with a mix of technology and in-house/external expertise.
It’s important to be clear where you can help to fill these gaps and what is out of your scope.
As a starting point, identify which of the products and services you currently offer would help to achieve GDPR compliance –security, archiving and data destruction, for example. Around these, you may consider partnering to augment your own services and expertise.
MSPs who act as virtual CIO to their customers are all too aware that what starts out as a helpful chat can, over time, morph into free consultancy, with the expectation that because your role is ‘virtual’ your fees should be too. 
GDPR advice could follow this slippery slope – unless the value provided can be ‘packaged’ and assigned a price tag. The problem is that if you use bundled pricing for products and services, it could become very onerous to pick out each service element and price it separately.
Perhaps start with core services such as audits, gap analysis, training and consultancy. These are easier to put a price on.
You could start by offering an audit (chargeable) of your customer’s current processes for collecting and managing data and identifying where these do not align with GDPR requirements. You could suggest an assessment of current data security policies and technologies, mapping this against the GPDR requirements to identify gaps that need to be addressed.
The day-to-day skills that you use in your managed services business, combined with experience acquired specifically for GDPR should help: data mapping, data discovery, data governance and management and implementing security controls for example.
Or you could run training days based on your own experience of implementing the operational aspects of GDPR, leading in to where and how your services could help.
Under GDPR, some organisations have to appoint a data protection officer (DPO). One way of addressing this for many SMBs would be to use a virtual DPO: an external DPO would be impartial, without vested interest in the data or how it is used, and it would probably be more cost-effective to ‘outsource’ than hire an expensive internal DPO. This is not something that every MSP could offer, however.
An ongoing opportunity
If you are still too busy ensuring that your own managed services business is GDPR-compliant to offer any kind of GDPR ‘as-a-service’ to your customers, you could benefit further down the line: unlike Y2K, there is no definitive end-point for GDPR business opportunities.
Yes, the current flurry of activity will continue in the lead up to the 25th May 2018 deadline, with budgets allocated for this period. But compliance will be an ongoing process. Industry commentators suspect that once the new, heavier financial penalties for data breaches start to make the headlines, businesses that are only ‘minimally’ GDPR-compliant will find the budget to put something more comprehensive in place.
To quote again from the summary of Jim Sneddon’s presentation at last month’s CompTIA EMEA Conference :
“The very process of learning all the tips and tools to successfully achieve compliance is an opportunity for channel companies to sell those tips and tools to customers and partners. Every gap in a customer’s compliance is an opportunity to upsell a new module or product. In this way, every customer ‘gap analysis’ or health-check is a potential sales tool.”
If you’ve put all the work in to achieve GDPR compliance for your own managed services business, doesn’t it make sense to get some financial return from this experience – and enhance your position with your customers too?
Contact us to find out how partnering for NOC and Service Desk can help free up your time to focus on GDPR compliance and on opportunities to monetise this experience with your customers.
 Jim Sneddon, Founder of Assuredata: ‘GDPR – A road-map to being compliant’, Channel keynote, CompTIA EMEA Member and Partner Conference, 17-18 October 2017