The European Union’s General Data Protection Regulation is a regulation in EU law stipulating how organisations must deal with data to ensure that individuals are protected, and that individuals can more easily determine what data an organisation holds about them. It became law across the 28 countries in the EU and the three countries in European Free Trade Association (EFTA) on May 25, 2018. Fines for breaching GDPR can be as high as €10 million or 2 percent of global turnover, whichever is higher.
With lots of pre-warnings, details, professional advice, and web-based information available, you would think that GDPR is a done deal and that there is little left to be played for by selling any GDPR services.
This would be a wrong perception.
Barriers to compliance
Research carried out in the UK by ICSA: The Governance Institute and The Core Partnership shows that 78 percent of organisations have found becoming GDPR compliant a heavy burden with many having to employ new staff. By the deadline of May 25, only 50 percent stated that they were fully GDPR compliant.
The mid-market and SME must also be GDPR compliant. Bringing in specific extra staff just to do this is not always within their financial reach.
For example, with the large enterprises taking the cream of the crop, smaller organisations are left with the option of employing someone who may turn out not to know enough to be useful, having to pay over the odds, or bringing in expensive consultants.
Assume that the fully-loaded cost of a GDPR specialist is £100,000/€130,000/$130,000 per annum. That is a lot of profit being eaten up by someone who is not a revenue creator.
Now, imagine that the organisation can use a platform provided by a managed service provider. That MSP can employ a GDPR expert at the same cost — but share that cost out across all its customers. For example, with 100 customers, that works out to £1,000/€1,300/$1,300 per annum each, far more affordable for the SME to pay for what is essentially an insurance policy. This also scales. As the MSP grows, it can afford to employ more GDPR specialists — or people with a mix of data security skills.
“Many SMEs are working on a basis of “it won’t happen to me” when it comes to #GDPR compliance.” @clivel_98 @SmarterMSP
Powerful message for MSPs
This becomes a powerful sales message for MSPs. Many SMEs are working on a basis of “it won’t happen to me” when it comes to GDPR compliance. If MSPs add to the standard messages of removing the need for deep technical competence within an SME; higher levels of systems availability; shared, elastic resources; and so on by offering a GDPR-compliant base platform, many SMEs will breathe a sigh of relief — as long as the price is right.
MSPs can then also offer a degree of consultancy service over and above the base platform GDPR compliance. For customers that have their own applications or databases, the MSP can offer the expertise to review these systems and help make them GDPR compliant as well.
The down side? Although the SME remains legally responsible for any GDPR breach, they will obviously be able to come back to the MSP if the breach can be shown to be the MSP’s fault. The MSP can insure against such a case — but its brand could be fatally impacted if a breach became public. Therefore, the MSP must be certain that what it offers is real. There is no room for cutting corners in this case.
Photo: Olivier Le Moal/Shutterstock.com