End users aren't ready for GDPR, but are resellers?

Doug Woodburn
@DougWoodburn
09 August 2017

Tweet
Facebook
LinkedIn
Send to

Any misguided expectations that the UK would somehow dodge the General Data Protection Regulation (GDPR) were extinguished earlier this week when the government announced its Data Protection Bill.

Trumpeted as the "most robust, yet dynamic, set of data laws in the world" by digital minister Matt Hancock, the new bill is largely GDPR by another name (although anyone reading the government announcement may not have guessed that).

Confirmation of the imminent arrival of the tough new data protection regime - which will impose fines of up to £17m on firms that slip up - will come as both a curse and a blessing for the channel.

On the plus side, IDC says GDPR will represent a $3.5bn (£2.7bn) annual opportunity for security and storage resellers.

However, MSPs and resellers must of course become compliant themselves, which is no small task considering that in many cases they are handling and managing - and in some cases even processing - customer data.

Seemingly every day, another vendor-backed survey lands in the CRN inbox telling us that end users are woefully ill prepared for GDPR.

But many MSPs I speak to admit they are not yet fully compliant themselves. To cite just one pain point, GDPR will give customers the right to request that personal data about them is erased, and resellers will not only have to ensure they can do this, but also be in a position to prove they have done it as well.

GDPR could also force resellers to rejig their marketing strategies as they will not be immune to the stricter regulations it will impose around collecting consent for email marketing. Social and influencer marketing could consequently become a more important platform.

And just like cobblers' children are often said to be the worst shod, so it is that not all resellers have invested in the appropriate technology to comply with GDPR internally. All in all, there is a lot of work ahead for the channel, and GDPR could be as much of a headache as it is an opportunity for those behind the curve.

I caught up with a couple of MSPs recently who told me they are very much geared up to take advantage of the technology and consultancy opportunities GDPR will generate for the channel.

Kevin Timms, CEO of reseller and MSP EACS characterised GDPR as "a headache, but not a particularly huge one" for his firm, but warned that IT suppliers that process data on behalf of others - for instance those who host CRM applications - would be harder hit by the new regime.

EACS still has work to do in the event that a customer makes a request for it to remove personal data, Timms said.

"The key areas [of GDPR] are going to be the employee data and the customer data, and for us it's the latter which is the most key, because we are in reasonable shape on the employee data in terms of how we handle that," Timms said.

"But we host all client data internally on our own systems, and we are going to need to do some work there to be fully compliant. If a client contacts us who wants to be completely removed from the system, we can do that today. But we need to make sure our processes are a bit tighter, and that we can actually report and prove that we've done that."

Edel Creely, group managing director of Dublin- and London-based MSP Trilogy Technologies, said she saw GDPR as a lucrative opportunity, arguing that it has converted cybersecurity from being a technical conversation into a business conversation.

"Because it's now going to be regulated, that means boards have a legal imperative to abide by the regulations, therefore it is now being taken very seriously," she said.

Trinity has seen a spike in demand for security audits as firms look to get their houses in order, which then often leads to conversations around security road maps, Creely said, adding that online backup is among the red-hot areas in which many firms find they need to invest.

Trinity still has some fine-tuning to do around policies, she added.

"We made a decision a year ago to become compliant with ISO 27001, and that addresses a lot of the questions around both the security and protection, and then also the organisation: how you treat data and manage it," she said.

Timms said EACS is also being approached by customers requesting audits of their systems and processes to determine whether they are fully compliant.

"One of our suppliers which sells security solutions into the mid-market space is forecasting an increase in their software of around 60 per cent this year, and we are seeing a significant increase in the sale of anti-virus consoles for managing security and so forth - there's been an uptick," he added.

Such accounts underline that GDPR could be the biggest opportunity the channel has been dealt in recent years - so much so that CRN is hosting a panel debate on the topic at our brand-new event in September. But IT suppliers that fail to get their own houses in order stand little chance of exploiting it.