Three aspects of the GDPR that MSPs absolutely NEED to understand

The GDPR is less than one year away now. Companies all over the world are in a rush to make sure that they are in compliance with the new data legislation come May 2018.

Managed service providers are no exception. In our free e-book, 10 things that MSPs need to know about the GDPR (you can download it right here), we provide an in depth explanation as to how and why MSPs need to prepare for the GDPR.

The GDPR is complicated legislation and many companies have only very little experience with data security and the type of working methods that lead to sustainable data security in the long run.

If you want to achieve a thorough understanding of the GDPR and how you should approach the GDPR as an MSP, we suggest that you download our e-book. In this blog post, however, we will provide you with insights on three aspects of the GDPR that you absolutely need to understand.

1. Does the GDPR apply to you?

The answer is almost certainly: Yes, it does.

The GDPR is not directed at companies or specific geographical regions. The GDPR is directed at the data and information that belongs to EU citizens.

In other words: Any company or organization that stores or processes data or information that belongs to EU citizens, is governed by the GDPR. Regardless of where the company is located in the world.

So all companies or organizations that do business with European clients are subject to the GDPR. It’s that simple.

2. Are you a processor or controller?

Under the GDPR, there are two different parts that companies or organizations can play: That of the processor or that of the controller.

The GDPR defines processors and controllers in the following manner:

Controller: The natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

So generally speaking, controllers collect the data, while processors store or catalog it.

You need to figure out what part you play, and you also need to understand the role of your clients. Controllers and processors face different legal obligation, so how you should approach the GDPR is highly dependent on whether you are one or the other.  

3. Are you in possession of ‘personal data’?

The GDPR is all about the personal data.

Companies or organizations that are in possession of data that is classified as personal will face punishments that are extremely severe if a breach were to happen.

So what is classified as personal data under the GDPR?

  • Basic information: Name, address and ID numbers and such
  • Web data such as IP addresses and cookie data
  • Racial, ethnic and sexual orientation
  • Health, biometric and genetic data
  • Political opinions, religious beliefs and union memberships

If your company or organization collects or processes any of these personal data, you should be extremely meticulous with how you follow the GDPR.

If you want to know more about the GDPR, you can download our free e-book 10 things that MSPs need to know about the GDPR.