The impact of the EU’s General Data Protection Regulation (GDPR) introduced in 2016 with legal enforcement across all EU countries by 2018 has impacted far more than the 27 countries in the European Union (EU), or the broader environment of the European Economic Area (EEA).
Any company, located anywhere on the globe that deals with the personally identifiable data (PID) of an EU citizen should also adhere to GDPR requirements. As a result, many other countries have adopted their own laws with GDPR as a core starting point, to allow for easier interactions with the major trading bloc that the EU represents.
The United States has attempted to put in place similar data protection laws, such as the Safe Harbor act to provide an equivalence between US and EU data handling laws. However, this was struck down by the EU in 2015. The US then enacted the Privacy Shield Framework. However, this was always seen as problematic by the EU, and it was eventually struck down by the European Court of Justice in 2020. In 2022, a new agreement, the Trans-Atlantic Data Privacy Framework, was agreed upon by the US and the EU.
Pseudonymisation protects PID
For those organisations working directly within the EU/EEA or dealing with customer data from those areas, or even dealing with other third countries that have implemented similar rules, there is now the massive problem of how to deal with created or stored PID. Even for those operating within the US, the mix of State and Federal rules creates a dynamically changing and worrying mix of how to deal with PID in a legal manner.
Luckily, the GDPR has a high-level solution that can be used across a global platform, called pseudonymisation. Here, the data holder must ensure that PID is transformed into a different format such that the PID itself cannot be extracted without access to an external item. One of the simplest ways of doing this is nominally encryption, as long as the encryption key is held on a separate system to where the data itself is held. Another approach is tokenisation, where the PID is replaced with something that looks meaningless and can only be used to uncover PID through knowledge of how the token was created.
Opportunity for MSPs that operate or have access to regional data centres
For MSPs, this provides a solid opportunity. Many organisations do not have the capability to separate their PID across different geographical regions and do not know how to apply tokenisation. Even encryption may result in unacceptable performance hits. If the encryption key is compromised and the PID is then compromised, the organisation will be found in breach of the GDPR.
As the possible fines for a breach of the GDPR run up to €10 million or 2% of global turnover (whichever is greater), this is something that everyone wants to avoid. For example, UK airline (although Spanish-owned) British Airways was fined £183 million (1.5% of turnover) for a data skimming issue in 2018 – although the fine was reduced to £20m after the Information Commissioner’s Office (ICO) lowered it due to the impact of COVID and representations from BA itself.
For MSPs that either operate or have access to regional datacentres around the globe, being able to store data within the region where local applicable laws operate will minimise the risks associated with handling the data. Providing solid content management systems that enable robust indexing and recovery, combined with archival and retrieval, will help many organisations meet their legal needs.
Electronic data backup required by law
Such legal needs are going beyond fines for data breaches, however. Gone are the days when a convenient flood or fire in a paper archival facility meant that a judge would have to accept that the records were gone. Now, even trying to claim that electronic copies have been destroyed holds little weight: the law expects backups to be held for long periods of times that can be presented in a timely manner when required.
Even smaller MSPs can offer such services: the use of global platforms such as AWS, Microsoft Azure or Google Cloud Platform support what can be a cost-effective means of using different regions that are connected together by high-speed interconnects that operate essentially at datacentre speeds, ensuring that customers see little performance hit when bringing records together.
Organisations willing to pay for full data management and protection
Being able to provide such systems that combine regional data storage combined with fast online document/records management and good long-term archival is something many organisations will be happy to pay for – as long as the right business messages are created to support the offer. Messages should focus around:
- A means of managing important records for an organisation
- A means of rapidly identifying and recovering information required by any stakeholder
- A means of avoiding legal fines through adequately managing PID
- A means of avoiding bad publicity caused by the leakage or malicious access of PID
- A repository that allows for better decision making and smoother workflows of information through the organisation
Such messaging is far better than just focusing on any one area – it should create a feeling that what is being offered is a full business solution, not just one that solves a single business issue. Rather than providing just an insurance policy against something that may never happen, it also offers ongoing business benefits. This should make bringing prospects on board far easier.
Photo: Billion Photos / Shutterstock