Before hiring an IT managed service provider you need to make sure they are GPDR compliant, and capable of making sure your business technology is compliant too. You can’t afford not to.
With the recent GDPR regulations that came into effect in May, no matter how big or small your business is, you still need to comply.
But, that’s not all.
Under the GDPR, any 3rd parties that handle sensitive information on your behalf are processors, and your duty is to make sure they know their responsibilities too. Your service provider falls into that category. Here are 10 signs that indicate they have taken the appropriate measures to be GDPR complaint as well.
1. They can answer your questions on GDPR and how it relates to technology.
Your GDPR compliant IT managed service provider (MSP) should be able to provide clear answers to any inquiries related to the GDPR. They should have details on the type of data they manage and how it’s being stored, processed, and protected.
They should be able to explain what steps they are taking to ensure that data is safe, and they will be able to provide you with proof of how they are doing that.
Then, they should be able to explain how they can help your specific business do the same.
2. Their GDPR compliance is reflected in their contracts
To ensure that they are compliant, your managed service provider should have included GDPR principles into their contracts. Since they are exchanging data with you, the contract should reflect the GDPR regulations. If you have an ongoing contract with your MSP and it wasn’t updated yet, contact them ASAP and demand the update.
3. They are ICO registered
Most MSPs will need to register with the ICO, some will need to pay a fee while others won’t. Only data controllers have to pay the fee, and if that applies to them you should be able to find them on the ICO public register.
Note: It’s highly likely they will need to be registered with the ICO. However, this is not always the case with every business. If they aren’t registered they should be able to demonstrate why they are exempt.
4. They honor new personal data rights
GDPR clearly states that individuals are the owners of their data and have specific rights pertaining to their data:
- They have the “right to be forgotten” and can request that all their data be erased. When such a request is received, it should be solved within a month.
- They should be informed about any usage of their data.
- They have the right to request copies of their data.
- They also have the right to correct any data collected on them.
MSPs should have policies in place that honor every single one of these rights. Although this places an extra burden on how they are handling data, not adhering to it can jeopardise them and the data they are processing.
5. They understand GDPR compliant tools
Since your MSP regularly exchanges data with you and others, they should ensure that data can never be accessed by an unauthorised party. This can be done through encryption and other security policies that keep data safe wherever it is.
Now imagine your MSP is storing data outside of the EU – their data centres are located in the US. Because they are still handling data from EU citizens, it still falls under the GDPR jurisdiction and should be treated as such. This means that no matter the location, that data should be protected in a compliant way.
7. They have updated their own practices
It’s easy to say you’re compliant but often companies will still be using their original bad practices. For example, automatic opt-ins, ignoring erasure requests, or using old lists without the proper consent.
8. Understand their own processes that collect and store data
Your MSP should be able to tell you which stages of their process they collect data, how it’s stored and in what way it is used. That should be part of their road to compliance. If they can’t they may not have been as thorough as they first appear.
Signs Your IT Managed Service Provider is NOT GDPR Compliant
1. They say “GDPR doesn’t apply”
This can be a major red flag. Because in most circumstances it will apply to some degree or another. Those who aren’t compliant often use this as an excuse but ignorance won’t stop their fines (or yours) if you work with them.
2. They aren’t willing to sign data processing agreements
A data processing agreement is needed for data controllers to use a data processor under Article 28. If this applies and your MSP is unwilling to sign, AVOID!
3. They have a ‘GDPR certification’
At present (Dec, 2018) there is no form of official GDPR certification/qualification or body of official training that gives this any weight. Of course, there are many training programs which can be helpful in providing education, but you cannot be ‘GDPR certified’ or ‘GDPR qualified’ as a company (yet.) This ‘qualification’ or training does not equal compliance.
Hopefully this has made it easier for you to determine the fact from the fiction when it comes to finding a GDPR compliant IT managed service provider!
If you wish to make sure your data is safe and compliant, we can help. Contact us today and let us help you set up the highest security standards for all your data requirements.