GDPR May Force MSSP, CSP Business Model Evolutions
Unlike its long-standing predecessor, the European Union’s new General Data Protection Regulation (GDPR) — a wide netting to globalize rules for data privacy, security and use that activates May 2018 — directly addresses requirements for cloud service providers (CSPs) and, by association, many MSSPs.
The prior directive, meant to safeguard the privacy of Europeans’ personal data, was written in 1995, well before the advent of most cloud services and third-party CSPs, inadvertently leaving uncovered a broad swath of data protection.
Now, however, it’s a different world with data top-of-mind for businesses, consumers and providers–really anyone, everything and anything touching or generating personal data. As organizations move to the cloud, they have to be confident that their service providers–CSPs, MSSPs and MSPs–are fully cognizant of their roles as data conduit and protector.
Under the GDPR’s terminology, cloud service providers are classified as “processors,” in that they sift, interpret and massage personal data for a “controller,” which essentially is the determiner of how and why the data is to be processed.
GDPR Requirements for CSPs, MSSPs, Service Providers
Plainly speaking, a business is a controller of its clients’ personal data and a service provider is its specialist. Under the GDPR, CSPs, MSSPs and other service providers must provide assurances that they can implement processing measures to meet the legislation’s requirements.
Without that binding awareness and full understanding of their liabilities under the GDPR, many CSPs and, of course, MSSPs, risk misconstruing the impact of the data protection legislation on their business models, according to researcher IDC.
“CSPs must act immediately to consider their position under the GDPR, and review all systems and processes before the 2018 deadline,” said Duncan Brown, associate vice president of security at IDC, in a prepared statement. “GDPR means increased risk and higher costs for CSPs dealing with personal data.”
Many CSPs are “unaware of these broad scoping definitions and are thus unprepared for their GDPR obligations,” he said.
IDC has segmented the impact of the GDPR on CSPs by general considerations for contracts and liabilities, and the nuts and bolts–security, international data transfers and other considerations. Both aspects are covered in two new reports the analyst has produced.
One twist, among many, in the process to prepare for GDPR implementation, will require CSPs and MSSPs to fully understand the cloud supply chain to the extent of auditing their subcontractors for compliance, IDC said.
In other words, CSPs not based in the EU but offering services to EU-based entities delivered either directly or indirectly, are responsible up and down the line and will have to audit their subprocessors to ensure the rules are followed.
More GDPR Guidance, Advice for CSPs, MSSPs
IDC isn’t the only analyst advising CSPs on how to navigate the GDPR. 2Twenty4 Consulting, an East Sussex, England business technology consultancy, has produced a document geared specifically for CSPs entitled, GDPR and Cloud Service Providers.
“Currently, the only obligations that exist for cloud providers is that stated in their commercial service contract,” according to the report. “Typically, this has focused on the SLA and guarantees of uptime sometimes with associated penalties for disruption.”
The GDPR, however, takes data protection issues much farther with “new mandatory contract provisions” for CSPs that cover subject matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller, the document details.
Some IT vendors have begun preparations to help organizations accommodate the GDPR. IBM, for example, recently detailed incident response capabilities for its IBM Resilient security portfolio that offers organization a preparatory guide, breach simulation tools and access to a database of GDPR regulations.