Like many an industry trend before, MSSP (Managed Security Service Provider) appears to be trending among IT teams and security practitioners alike; embracing the cloud and hosting technologies to relieve the burden of ownership and maintenance, retain security practices and benefit from subscription models of service.
If you are planning to run or even already running your own MSSP platform, you will in no doubt have some questions surrounding its position within the framework of the GDPR (General Data Protection Regulation). Here we have compiled five of our top considerations to ensure your MSSP is GDPR ready.
1. Processing Instructions
Depending on the service you are offering, you may be a data controller, processor or both. If either of the latter two, you will need to have agreed processing instructions from your data controller (your service subscriber). These instructions will detail which items of personal data your service is going to be processing and exactly how they should be processed. As you are the service provider and you understand the service you provide better than anyone, you could offer this contractual instruction set as a pre-created value-add to your managed service offering.
2. Incident Response and Communication Channels
As a data controller, processor or possibly both, there are obligations for the reporting of significant data breaches. Whether your obligation is to report to the data controller or supervisory authority, a documented plan of action supplied to the data controller from the outset, is a must. You will have to provide information such as the nature of the breach, the number of data subjects affected, the specific types of personal data affected and the likely impact to data subjects as a result of the breach. It is highly recommended that you do not build your response plans ad-hoc at the point of a breach. This might seem obvious but ask yourself: Do your team really know how to respond to a data breach incident?
[You might also like "What GDPR lessons can we learn from the Uber data breach?"]
3. Data Centre Locality
While the processing of personal data is not confined exclusively to the interior of the EU and EEAs borders, it certainly keeps things a little simpler; a luxury not necessarily worth passing up when navigating a near 100-page regulation. Many MSSP offerings today are held in commercial cloud platforms such as AWS or Azure, which allow you to define the used data centre and its backup. Choosing a European location is recommended.
4. Person Responsible for Data Protection
Not all organisations are required to appoint a DPO (Data Protection Officer), however there are three conditions by which it is a mandatory appointment. For everyone else, there is a loose industry-wide recognised recommendation that there should still be an appointed person whom is responsible for data protection within the organisation. When offering an MSSP service, it is advantageous to have this role assigned, as it indicates you're an organisation who takes data protection seriously.
[You might also like "GDPR and the DPO: Five Things to Know About Your Next Job Vacancy"]
5. Documented Processing Workflows
Don’t do a Facebook (yes, it has become a verb). Be clear with your subscribers about the service you offer and how you process personal data. Embed this into your service contract to show a high level of clarity and ethnicity where data protection is concerned. Data controllers are obliged to document all processing activities and will appreciate you completing this on their behalf, as part of the wider value-add of your MSSP offering.
Conclusion - So why bother?
Well, other than the fact that the processing of personal data from data subjects within the EU and EEA makes the application of the GDPR's articles mandatory; your customers and prospects alike will be questioning their MSSPs and other third-parties about their adherence to the regulation. This question will begin to appear on any procurement or RFI (Request for Information) documents soon, if not so already.
You may offer the best MSSP in terms of traditional metrics such as up time, capabilities, price and speed but now we enter a world with a new metric; the possibility of losing an opportunity based on poor regulatory adherence.
For some it's a large leap to make but for all it's not one choice.
