Archive February 2019

Managed Security Service Provider’s GDPR Liabilities

The growth of MSSP’s sector has resulted in efficiencies of outsourcing data processing. 

Recent legislation in GDPR has created a further demand in compliancy leading to potential confusion on the responsibilities between the IT outsourced provider (called data processor) and the client (called the data controller) who decide what to do and the budget associated.

MSSP’s now need to adapt their model to accommodate the significant changes in GDPR, therefore avoiding the legal consequences of non-compliance to their business.

These changes encompass:

  1. Accountability transparency
  2. Data Protection principles
  3. Security and confidentiality certainty
  4. Governance support and advising on duties

The legislation directs that the data processing community has to be fully conversant with GDPR governance. For example, MSSP’s will need to ensure the process of data collection addresses ‘private impact assessment’ prior to deploying a ‘data leak prevention’ or similarly an advanced web filtering solution.

The remit of the MSSP sector implementing managed advanced threat protection solution, the processing of personal data and more sensitive data categories as defined in article 9 of the GDPR legislation. Providers are directly liable to European regulation to infringements of sensitive information namely political and religious opinion or sexual orientation.

Data Processing/MSSP – Risks of Non-Compliance

·     Damaging loss of reputation of the company.

·     Sanctions from the GDPR authority. These include MSSP’s, Data Collectors and end customers exposing risk of penalisation from the ICO in the UK or the CNIL in France. (Public Warnings up to and including a 10 million Euro fine or 10% of their worldwide turnover penalty)

·     The courts may apply powers of applying prison sentence or significant fines to the data collector or sub-collector.

·     Civil law has legitimacy to cancel contracts and refund customers.

The change in legislation is a major wake up call to the entire managed security service providers. GDPR compliance is now a reality and the priorities need to start with DPO designation and teams training. The consequences of contravening GDPR law is financially damaging with let alone reputation to trust in company branding.

Being compliant is a reality and strengthens overall value propositions, enhances reputation and increases best practice in security.

PS: I tried to summarize this complex subject in one page so if you may have any comments or questions, don’t hesitate to contact me directly.