All businesses handling any personal data of EU citizens must comply with GDPR. This is hard for those on the front line of data processing such as big retailers and banks. But what about those B2B firms behind the scenes, like IT managed services companies?
Previously, B2B companies could escape legal liability for data offences as long as they stuck to their contract. Today, under GDPR, they are accountable by law as well.
Controllers vs Processors
In data-processing circles, data handlers are usually “controllers” or “processors”. This is important because, even in the GDPR era, controllers bear more legal responsibility for data than processors do.
A data controller is usually the first party in the chain which collects data and decides the how and why of its processing. A data processor is often a third-party firm offering a range of IT solutions to other companies. This might be a payroll company or cloud storage provider.
The Seven Core GDPR Principles Applied to IT Managed Services
Seven fundamental principles of compliance are set out in Article 5 of the GDPR. Let’s look at those principles and see how they might apply to an IT managed services company.
1. Process Data Lawfully, Fairly and with Transparency
A provider of IT managed services, or managed service provider (MSP) can be either a controller or a processor. Often, it’s the latter. This type of company typically uses its expertise to process the data from other companies. It is liable for data privacy and integrity.
Processing data lawfully and fairly means complying with GDPR and not using data for purposes other than stated. Transparency is a vital GDPR element for both data controllers and processors.
Imagine an IT managed services provider called System Attic. This company processes data for a fashion retailer called Miss Direct. If it discovers a data breach, it must inform the controller (Miss Direct) without delay. This is part of “transparency”.
Many data breaches are avoidable with efficient data mapping. Carefully worded contracts between data controllers and processors can also help avoid weak links in the data chain.
2. Stick to the Stated Purpose of Data
Under GDPR, you can only collect data for the purpose agreed to by the data subject. Transparency means consent must be sought in the most unequivocal terms with an opt-in checkbox.
System Attic is processing the data of an IT networking specialist. What it cannot do is use this data without consent to further its own interests. GDPR software helps create a contract between data collectors and processors (compulsory for GDPR compliance).
3. Collect Only the Data You Need
Data minimisation is a crucial GDPR principle. A data controller should not collect more personal data than it needs for a specific purpose. And a processor shouldn’t hold more data than it needs for completing that purpose.
System Attic is a data controller when it comes to the data it holds on its own staff. Any sensitive data it stores should be kept to a minimum. The keeping of health records needs a legal basis under GDPR. Consent is not enough here, because there is an imbalance of power between employer and worker.
Constant data monitoring using GDPR software ensures controllers and processors don’t store more data than necessary.
4. Keeping Data Current and Precise
Any company handling personal data must ensure it’s up to date and accurate. Data subjects, (i.e. customers or staff), have the right under GDPR to rectify any obsolete data being held. For all companies, there is a need for efficient data management with the ability to swiftly access personal data. Data mapping software helps.
System Attic offers a managed service desk operation, which must be GDPR compliant and requires up-to-date customer data. Regular assessment and trimming of stored data help ensure it is accurate. Efficient subject access management helps in this, too.
5. Delete Data When You’re Done
The “Storage Limitation” principle in GDPR means handlers should not hold data for longer than its purpose dictates. Companies cannot, for instance, keep data on file in case it is useful later. This is an integral part of data protection.
System Attic’s managed service desk uses a standard ticketing system to track enquiries. Once the enquiry is over, and the ticket closed, any redundant data collected must be deleted.
6. Keeping Data Secure
It’s incumbent on any data handler to adequately protect stored data. The sensitivity of the data dictates the level of security which applies. For instance, data about children needs the highest possible protection. Data handlers like MSPs are usually the experts in data protection and often take on an advisory role in a B2B relationship.
System Attic runs a security operations centre (SOC) manned by experts who check for cybersecurity threats. This service also helps with customers’ GDPR compliance, though customers must also be responsible for their own security.
7. Take Responsibility
Accountability is the last of the seven principles. Companies working together must define the roles of controller, processor, and sometimes sub-processor in a contract. (A sub-processor is a company which processes for a processor.)
System Attic decides to use a separate cloud storage service to hold its customers’ data. Under Article 28 of GDPR, a contract must define the data obligations of both parties.
Whichever kind of data handling you do, complying with EU law is vital. For small to mid-sized businesses, GDPR compliance software can help. Get started now!