GDPR will fuel a $3.7bn (£2.7bn) annual IT security spending bonanza, according to fresh data from IDC, which has urged resellers not to miss out.
In a recent CRN panel debate, resellers and MSPs expressed ambivalence towards GDPR, with some seeing it primarily as a legal headache for them and their customers, rather than a technology sales opportunity.
However, talking to CRN, IDC associate vice president Duncan Brown said that most firms over a certain size will have to shell out on new technology if they are to comply with the new, EU-wide data protection regime, which kicks off on 25 May 2018.
GDPR will fuel an extra $2.3bn in IT security software and services spending in Western Europe in 2017, with the figure set to rise to $3.1bn in 2018, before peaking at $3.7bn in 2019 and 2020, IDC predicts.
"They are absolutely missing a trick," Brown said of resellers that don't see GDPR as their domain.
"There is absolutely an opportunity out there, and although they're right in a sense that GDPR is not about technology and is a business problem, you cannot be compliant with GDPR without having technology in place. It can't be done, because of some of the new requirements.
"Sole traders probably don't need technology, but for the vast majority of companies resellers and vendors are talking to, they will all be impacted by GDPR and will need technology in order to deliver that. If you are not talking about GDPR, you can be absolutely sure your customers are talking to someone else."
GDPR will drive a substantial chunk of security investment until 2021, propelling security services and security software compound annual growth in the region to 20.3 and 18.8 per cent respectively.
IDC has produced a GDPR technology framework designed to help firms ascertain what role technology can play in their compliance process.
Brown said there are some obvious hotspots within this for IT suppliers.
"Data loss prevention is very big for obvious reasons as it stops personal data being sent out of the organisation," he said. "Access control is having a big boost through GDPR because unauthorised access to data is one of the core principles of GDPR. From a service provider point of view, you've got the implementation and consulting that goes around that, but also things like incident response. [Under GDPR] you have this mandatory breach notification within 72 hours, so you need to have an incident response plan in place and tested, so there's a big drive around that."
In its latest forecast, entitled Western Europe GDPR Impact on Security Services and Software Forecast, 2016-2021, which was published in August 2017, IDC said suppliers should be aware of a "two-speed adoption curve" around GDPR. Organisations will either seek to become compliant to avoid drawing attention from regulators, or will use GDPR to drive best practice or competitive advantage, according to the analyst.
"Both approaches are valid, as long as they are informed and based on an assessment of business risk. Vendors need to ascertain to which of these two camps their customers belong. Their adoption patterns will differ substantially," the report stated.
Further breaking down IDC's spending forecasts, it predicts that western European organisations are set to spend an extra $1.2bn on security software and $1.1bn on security services this year. Next year, the corresponding figures will rise to $1.6bn and $1.5bn, before jumping to $2bn and $1.8bn in 2019 and $1.9bn and $1.8bn in 2020. In 2021, GDPR-induced security spending will tail off slightly to $3.3bn, comprising $1.7bn in software and $1.6bn in services spend.
The UK will contribute the largest chunk of that, with GDPR-induced security spending set to peak at just over $1bn in 2020 here.
Panellists on our recent MSP GDPR panel remarked that GDPR is seen as less of a big deal in some mainland European countries that already have strict data protection rules, most notably Germany.
But Brown argued that even German firms will have work to do to ensure they comply.
"I've heard a lot about the typical German approach of 'we're alright: GDPR is pretty much the same as what we've got; in fact it's weaker in some areas'," he said. "And then you say 'OK, what are you doing about data portability, what are you doing about the laws on consent, mandatory notifications and the right to be forgotten?' Germany isn't far away from GDPR in terms of the principles, but there are many new requirements."
A summary of what you get if you subscribe to our premium market intelligence service
Matthew Polly says CrowdStrike is looking to branch out from the UK and into mainland Europe
Southampton-based VAR states that further acquisitions are in the pipeline
With UKFast launching a public cloud consultancy, Tom Wright asks if this is the way forward for all local hosting providers