If there is one topic which most channel partners are keen to address, then it is managed security services. Keen to be more than just peddlers of security software; and wanting to provide a wider service, channel partners are faced with a bountiful marketplace of small-to-medium sized businesses who desire high-grade solutions with lesser pricing and more flexibility.
There are of course a number of things which need to be considered when setting up a managed security service, such as what to offer, price, licensing model and SLA's. But what about the less thought of side, such as ensuring that your service has data security credentials which stand up to scrutiny?
In this blog post, we take a look at four GDPR related points, which you might want to consider when setting up a managed security service.
[You may also be interested to read "The Truth About Cloud Hosted Services and the GDPR"]
1. Have you set up breach reporting channels between you, your customer and the ICO?
Whether you are the data controller, processor or both, you will have an obligation to report data breaches which risk the rights and freedoms of data subjects which have been exposed by the breach. Who you report to and the parameters around it will differ depending on your role but having a plan of action is mandatory under the GDPR.
We recommend creating a welcome pack for your managed security service offering which details your role in the processing workflow; how breaches can be reported to you and how you report them. This should include contact information for someone responsible for data protection in your organisation, as it is unlikely that a channel partner would have a dedicated GDPR DPO (Data Protection Officer).
2. Do you have a master services agreement detailing how you process or handle personal data?
If you are a data processor, which is likely to be the case for most managed security services, you will need to be provided with processing instructions by your customer or data controller. These instructions clearly and strictly define how you can process personal data. This is again a mandatory requirement, as defined in the articles of the GDPR.
Almost all service providers will already be familiar with the concept of a master service agreement which details all manner of things surrounding the service being provided. It would be wise to append data processing instructions to this document, and have the customer sign and return.
Remember that you cannot exceed what has been defined in the processing instructions without further instruction from the data controller.
3. Do you have a process for subject access requests?
It is unlikely that you haven’t heard of the dreaded subject access request; but for the uninitiated, it is a request from a data subject for you to return records of personal data and processing activities which might concern their personal data.
Data controllers and processors are obligated to comply with such requests for free and within a 30-day time window. Except for when requests are highly complex.
It may seem trivial but even if the controller sits on the request for a significant time, you will still need to adhere to this defined timeframe. Much like the breach reporting requirement, it would be sensible to also supply your customer with a route or mechanism for retrieving records from you in such a case.
Some service providers and websites have created automated forms on their websites which log and track such requests.
4. Are you adhering to data residency requirements?
This requirement is often complicated by the fact that many managed security services are cloud-based; and cloud-based services are commonly multi-tenanted across multiple data centres and geographical regions, for the purpose of redundancy and load balancing.
[Have you also read "4 Reasons why the Future is Cloud"?]
The GDPR is a regulation created by the European Union and as result allows the sharing of data across the EU and EEA, by enforcing the same standards. The EU also permits the transfer of personal data to countries which are deemed to have adequate data protection legislation, also known as third-countries.
Finally, transfers to non-EU, EEA or third-countries are permitted so long as there are legally binding contracts in place to enforce equivalent data protection rights for data subject, as those gifted in the GDPR.
Critically, any transfer must be communicated to data subjects. So once again, get it into your master service agreement.
Managed security services can be GDPR friendly
What might seem a little bit of a minefield is really just common sense; and things which we would all expect if we were signing up to a service ourselves. Transparency is the key being viewed as trustworthy, and the GDPR is a great place to start.
[You could also check out "5 GDPR Things to Consider for your MSSP Offering"]
In my career, I have often found that most IT managers and those who are planning to roll out a new service, are suspicious of data protection laws and other regulations as being saboteurs to a great business idea.
But it doesn’t have to be that way.
A little forward thinking and careful planning could mean that you are celebrated as being the more modern and less risky of all the service providers; another unique attribute in a market of managed services which is becoming more and more crowded by the day.