<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Making your MSP Offering GDPR Friendly - 4 Things to Consider

Topics: GDPR, Managed Security Services, Data Security, MSSP

Posted: 20 March 2019

Making your MSP Offering GDPR Friendly 4 Things to Consider

If there is one topic which most channel partners are keen to address, then it is managed security services. Keen to be more than just peddlers of security software; and wanting to provide a wider service, channel partners are faced with a bountiful marketplace of small-to-medium sized businesses who desire high-grade solutions with lesser pricing and more flexibility.

There are of course a number of things which need to be considered when setting up a managed security service, such as what to offer, price, licensing model and SLA's. But what about the less thought of side, such as ensuring that your service has data security credentials which stand up to scrutiny?

In this blog post, we take a look at four GDPR related points, which you might want to consider when setting up a managed security service.

[You may also be interested to read "The Truth About Cloud Hosted Services and the GDPR"]

1. Have you set up breach reporting channels between you, your customer and the ICO?


Whether you are the data controller, processor or both, you will have an obligation to report data breaches which risk the rights and freedoms of data subjects which have been exposed by the breach. Who you report to and the parameters around it will differ depending on your role but having a plan of action is mandatory under the GDPR.

We recommend creating a welcome pack for your managed security service offering which details your role in the processing workflow; how breaches can be reported to you and how you report them. This should include contact information for someone responsible for data protection in your organisation, as it is unlikely that a channel partner would have a dedicated GDPR DPO (Data Protection Officer).

2. Do you have a master services agreement detailing how you process or handle personal data?

If you are a data processor, which is likely to be the case for most managed security services, you will need to be provided with processing instructions by your customer or data controller. These instructions clearly and strictly define how you can process personal data. This is again a mandatory requirement, as defined in the articles of the GDPR.

Almost all service providers will already be familiar with the concept of a master service agreement which details all manner of things surrounding the service being provided. It would be wise to append data processing instructions to this document, and have the customer sign and return.

Remember that you cannot exceed what has been defined in the processing instructions without further instruction from the data controller.

3. Do you have a process for subject access requests?

It is unlikely that you haven’t heard of the dreaded subject access request; but for the uninitiated, it is a request from a data subject for you to return records of personal data and processing activities which might concern their personal data.

Data controllers and processors are obligated to comply with such requests for free and within a 30-day time window. Except for when requests are highly complex.

It may seem trivial but even if the controller sits on the request for a significant time, you will still need to adhere to this defined timeframe. Much like the breach reporting requirement, it would be sensible to also supply your customer with a route or mechanism for retrieving records from you in such a case.

Some service providers and websites have created automated forms on their websites which log and track such requests.

4. Are you adhering to data residency requirements?

This requirement is often complicated by the fact that many managed security services are cloud-based; and cloud-based services are commonly multi-tenanted across multiple data centres and geographical regions, for the purpose of redundancy and load balancing.

[Have you also read "4 Reasons why the Future is Cloud"?]

The GDPR is a regulation created by the European Union and as result allows the sharing of data across the EU and EEA, by enforcing the same standards. The EU also permits the transfer of personal data to countries which are deemed to have adequate data protection legislation, also known as third-countries.

Finally, transfers to non-EU, EEA or third-countries are permitted so long as there are legally binding contracts in place to enforce equivalent data protection rights for data subject, as those gifted in the GDPR.

Critically, any transfer must be communicated to data subjects. So once again, get it into your master service agreement.

Managed security services can be GDPR friendly

What might seem a little bit of a minefield is really just common sense; and things which we would all expect if we were signing up to a service ourselves. Transparency is the key being viewed as trustworthy, and the GDPR is a great place to start.

[You could also check out "5 GDPR Things to Consider for your MSSP Offering"]

In my career, I have often found that most IT managers and those who are planning to roll out a new service, are suspicious of data protection laws and other regulations as being saboteurs to a great business idea.

But it doesn’t have to be that way.

A little forward thinking and careful planning could mean that you are celebrated as being the more modern and less risky of all the service providers; another unique attribute in a market of managed services which is becoming more and more crowded by the day.

Giants in the Cloud Microsoft Azure Amazon Web Services

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts