GDPR Readiness of Managed Service Providers

Author of this article is Deema Freij. She is Associate General Counsel and Global Privacy Officer at Carbonite, MailStore’s parent company.

It is not uncommon for Managed Service Providers (MSPs), that for example have our MailStore Service Provider Edition (SPE)  in their portfolio to offer email archiving as a service, to ask us or our distributors how they can become GDPR-ready. When determining the appropriate measures to be “GDPR-ready” this has to be done on a case by case basis. We cannot purport to give legal advice (for legal advice please seek the advice of your lawyers) but we can provide guidance from lessons learned on the GDPR journey.

We´d like to provide you with a list of things you probably should consider on your way to GDPR readiness:

1. Data Security Strategy – Policies and Training of Employees

Even the most secure environments can end up being insecure if you do not have well trained employees sensitive to the concept of privacy.  Ensure that you organize training for your employee base and have them take annual data privacy and security training. There has to be a strong data privacy program within the company backed up by policies. Privacy is not a topic take care of by a single department but has to be driven from the management.

2. Appointment of Someone Responsible for Data Privacy

Since there are special regulations that differ from GDPR in regulated sectors like healthcare or financial, you should probably provide an internal or external contact person for your customers to discuss their specific needs.  Some companies are legally obliged to have data privacy officers, but even if you are not, it is always a good idea to have someone who is responsible for data privacy. Optically to the world it shows people that you are serious about privacy.

3. How are Data Subject Access Requests Handled?

Data subject’s rights were strengthened by GDPR and have become a central part of this data privacy legislation. Go into each of the rights and make sure that you have strategies in place to deal with data subject requests. Data subject requests include the right to:

  • Access
  • Deletion
  • Rectification
  • Portability

4. Data Breaches

Do you have a robust incident response policy in place? Is there a structure of people who know what to do in a breach situation?  If a breach does happen you need to act quickly and follow the process outlined in your response plan, namely,

  • Determine the exact facts of the incident
  • Inform internal contact persons
  • Contain the breach
  • Restore the affected systems
  • Work out a communication strategy both internally and externally
  • Alongside the above, determine if affected party(ies) and/ or authorities need to be informed and cooperate actively

In order to prevent and mitigate against data breaches, ensure that you:

  • Implement technical measures,for example encryption at rest and in transit
  • Implement organizational measures like a dual-control-principle

Do You Have Access to Customer Data?

If the MSP handles customer data, then in all likelihood there should be a data processing agreement in place with the customer. Will a third party vendor be used for support?  If so see the vendor vetting section below.

Will You Use Your Own Infrastructure?

For MSPs without their own infrastructure, third party vendors play an important role in their model. Vendor management is a very big part of GDPR.  Organizations will need to vet their vendors properly and ensure that they have proper policies in place to help with GDPR initiatives.  Questions to help in vetting vendors:

  • Do you train your staff regularly on data protection and security?
  • What security and privacy measures do you have in place to protect personal data?
  • Can you process customer data deletion requests? If so, how quickly? Is this an automated or a manual process?
  • Do any third parties have access to our customer’s data?
  • What data breach protection and protocols do you have?
  • How easy is it to export data? Is all data ready for portability requests?
  • Where is the data center that I use located? Is data transferred out of the EEA? If so under what legal basis is this happening? Standard contractual clauses/Privacy Shield etc; do you need/ have a data processing agreement in place?

Service providers interested in MailStore SPE can register free of charge here to obtain all the relevant information including access to a free trial version.

Sharing

Leave a Reply