MSP Quick Start Guide to

Data Privacy Complianceand Documentation

TABLE OF CONTENTS

Compliance 101

Why Compliance Matters

Developing Your Compliance Program

The Importance of Following Data Privacy Best Practices

Consequences of Non-Compliance

1

3

11

14

18

C H A P T E RCompliance 101The business world is in transition. Discussions about the future of work and the technology required to facilitate that future are top of mind in every sector. For many organizations, the future may not include a full-time return to pre-pandemic, office-based operations. That adds to the complications of ensuring compliance while maintaining a strong defensive posture to avoid hazards like ransomware, third-party or supply chain data breach risks, lost productivity and potential seven-digit fines for failing to meet regulatory compliance requirements.

One essential component of every organization’s future success will be the ability to secure their data against cybercrime while maintaining compliance with ever-evolving data privacy regulations. The rise of ransomware as a tool, that can shut down businesses entirely as well as endanger data, has created a new urgency in business cybersecurity as well. That means that every company will need to adjust how they think about IT, security and compliance.

1

1

WATCH NOW

Build a Profitable Compliance-as-a-Service Business

Learn how to price, position, and sell compliance services with our informative session.

MSP OpportunityA new vision of work brings a new vista of opportunity for MSPs. Managed services clients in vertical markets, such as healthcare, finance, technology and legal services, are faced with increasingly more detailed data-handling requirements. MSPs have the opportunity to move beyond simply serving as outsourced system administrators and expand their businesses (and their MRR) by becoming trusted partners in compliance.

Savvy MSPs are already preparing to meet those challenges by developing up-to-date working knowledge of compliance regulations and the cybersecurity moves that their clients need to make to meet them. Investments in certifications, audits and ongoing training can set your MSP up for compliance business success.

2

C H A P T E R

Why Compliance MattersUnder many data protection regulations, IT providers are considered business associates since they have access to a covered entity’s data. This relationship means they could be held liable in the event of a data breach. Maintaining a strong security culture that places value in maintaining compliance is vital to protecting your business as well as protecting your clients’ data and systems from disaster.

2

3

Evolving RegulationsData privacy standards are one of the fastest-growing areas of regulation today. In the U.S., most states are tightening data compliance regulations, including new data privacy standards in California. Worldwide, over 100 countries have adopted data privacy laws that hold industries accountable for protecting their clients’ sensitive information. Regulators in North America, Europe, South America, the UK, China and Singapore will be enforcing newer, stricter regulations as well.

In today’s competitive MSP landscape, failing to demonstrate your commitment to data security and your expertise in maintaining compliance in your target industries may cause clients and prospects to think twice about your viability as a business partner. Overcoming knowledge barriers of data law is a must. Prepare to focus on security and compliance issues in order to gain an edge over the competition.

The most prominent new data privacy compliance considerations for 2021 include:

Ҍ General Data Protection Regulation (GDPR)

Ҍ UK General Data Protection Regulation (UK GDPR)

Ҍ Schrems II and Data Protection Impact Assessments (DPIA)

Ҍ California Consumer Privacy Act (CCPA)

Ҍ California Privacy Rights Act (CPRA)

Ҍ Consumer Privacy Protection Act

Ҍ Personal Data Protection Act (PDPA)

Ҍ Data Security Law (DSL) & Personal Data Protection Law (PDPL)

Ҍ Brazilian General Data Protection Law (LGPD)

4

General Data Protection Regulation (GDPR)European UnionGDPR fines reached a new high in 2020 and can currently reach up to 4% of a company’s global revenue. Companies maintaining information on clients within the EU need to be able to demonstrate that they are adhering to the GDPR’s 7 principles and to specific guidance from their national Data Protection Authority.

In December 2020, the ICO published a new Data Sharing Code of Practice. The Code applies to personal data that is shared between controllers or provided to third parties. It does not apply to data sharing with a processor, nor the disclosure of data within an organization. Companies will be required to transfer personal data securely and inform data subjects of what is happening to their data. The ICO strongly recommends that organizations complete a Data Protection Impact Assessment (DPIA) as a precaution.

In January 2021 the EDPB adopted guidelines, which consider a range of data breach notification cases. Some of the examples considered include ransomware attacks, security incidents with exfiltration, internal compromises, accidental transmissions and lost or stolen devices. For each of the example cases described in the guidelines, the EPDB identifies the relevant reporting and remediation obligations.

Worth noting: On January 13, 2021, the Advocate General of the European Court of Justice issued an opinion in Case C-645/19 Facebook Ireland Limited, Facebook INC, Facebook Belgium BVBA v Gegevensbeschermingsautoriteit that brings to light the issue of which supervisory authority will be competent where multiple authorities have the potential to be the lead supervisory authority.

Countries of the European Union

5

UK General Data Protection Regulation (UK GDPR)United KingdomAuthorities have cemented a GDPR/Brexit interim data transfer agreement that allows the unrestricted transfer of personal data between the UK and EU as before, even though the UK is no longer part of the EU and therefore not under the EU’s GDPR. Businesses should continue with their existing practices regarding data. The only area that may change is for those organizations who need to process data from those living in the EU (such as if you serve EU customers) or need to arrange the transfer of data between the two sides.

Brexit has had the UK implement its own version of GDPR, called UK GDPR, which indicates that as of June 30, 2021, data transfers between the EU and UK will likely be considered as “transfers to a third country.” Although the UK is now “a third country” under the EU’s GDPR, a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs.

The EU Commission has released a draft adequacy decision that, if approved, would grant the UK the status of providing adequate data protection and thus ensure the free and uninterrupted flow of data between the two blocs. The draft adequacy decision is unique in that it is time-limited to four years and only renewed if the UK proves in 2025 to still have adequate data protection.

The ICO, who currently uphold information rights in the country, will continue to oversee data protection after the EU transition period.

6

Schrems II and Data Protection Impact Assessments (DPIA)United KingdomThe EU-US Data Protection Shield, on which many companies relied on to transfer their data between the U.S. and the EU, was invalidated due to concerns around surveillance by U.S. state and law enforcement agencies in a case referred to as Schrems II. Schrems II classifies any data transfer outside the European Economic Area, now including the UK, as a high-risk activity, making a DPIA mandatory.

The European Data Protection Board (EDPB) released a set of guidelines that give organizations advice on measures they can take to stay compliant when making data transfers. Among the various recommendations, encryption stands out as a key measure that organizations can use in 2021.

The EDPB also released recommendations addressing the due diligence obligations and supplementary measures imposed by the CJEU in the Schrems II decision for organizations transferring data outside the EEA.

Organizations now must perform case-by-case transfer impact assessments (TIAs) that determine whether the data-importing country provides “essentially equivalent” protection of personal data as that guaranteed under EU law.

7

8

California Consumer Privacy Act (CCPA) New provisions of the California Consumer Privacy Act (CCPA) will be enforceable as of July 1, 2021, and apply to all companies that have California-based customers with over $25 million in annual revenues and companies with access to personal information for 50,000 or more California residents or companies that derive at least half of their annual revenue from selling personal information.

In October 2020, AB 25 and AB 1355 were signed into law. These laws created exceptions for some CCPA requirements, notably those around privacy rights requests, with respect to the personal information of employees (including job applicants, directors and officers) and for business contacts (including, for example, sales agents). However, both laws included a sunset provision and the exception for those types of personal information will no longer be in effect as of January 1, 2021.

The requirements to provide notice and disclosure at the point of collection, and the private right of action for breach, were not impacted by AB 25 or AB 1355, and remain in effect.

Businesses will need to begin applying the same controls that are already applied to other consumer data for CCPA compliance, including systems for human resources and procurement that were separated from and not in scope for previous CCPA efforts.

California Privacy Rights Act (CPRA) Businesses should be preparing strategies for compliance with the upcoming California Privacy Rights Act (CPRA). This new law goes into effect on January 1, 2023, with a look-back period of January 2022. Among the provisions that will impact IT decision-making are regulations that amend and expand the requirements of CCPA, create a new subcategory of personal information (Sensitive Personal Information) and establish a new privacy regulator, the California Privacy Protection Agency.

Consumer Privacy Protection ActCanadaIf passed, the Consumer Privacy Protection Act will act as a replacement for the Personal Information Protection and Electronic Documents Act (PIPEDA). The act will require businesses to adopt significantly more robust accountability measures, such as a well-documented privacy management program, and not just a policy. It also provides greater rights to individuals and includes significant order-making powers and stronger enforcement measures in the form of fines and penalties. Ontario, Quebec and British Columbia have all indicated implementing new privacy acts or revising their existing ones to align with current trends.

9

Brazilian General Data Protection Law (LGPD)BrazilAs of August 2020, organizations within Brazil as well as those that serve consumers in Brazil are required to comply with the provisions of the Brazilian General Data Protection Law (LGPD). Modeled on the GDPR, many of the requirements are similar. One notable difference is the requirement for organizations doing business in Brazil to appoint a Data Protection Officer to liaise with the Brazilian National Data Privacy Agency.

Personal Data Protection Act (PDPA)SingaporeAmendments to the 2012 act took effect in February 2021, marking the most significant changes to this regulation since it came into force. Updates include mandatory data breach notification, enhanced accountability for individuals, with penalties that include fines up to SG$5,000 or up to two years in prison, and a new framework for consent. Later this year, Singapore is also expected to increase the potential fines for organizations.

Data Security Law (DSL) & Personal Data Protection Law (PDPL)ChinaIn late 2020, China released drafts of a proposed Data Security Law (DSL) & Personal Data Protection Law (PDPL). When combined with the 2017 Cybersecurity Law, they clarify China’s approach to data privacy for foreign companies operating in China or serving Chinese consumers. Seen as China’s response to GDPR, these laws contain many of the same provisions as their European counterparts, and similarly, apply across borders.

Brazil

China

Singapore

10

WATCH NOW

Build Documentation with Compliance in Mind

Learn how to address common documentation requirements, practical steps to begin your process, and realistic compliance and audit scenarios.

C H A P T E R

3 Developing Your Compliance ProgramWhen developing your compliance program, first consider the simple measures that you can take immediately to protect your business and employees. Then enact them as quickly as possible. This will not only give you a solid start on the road to becoming a successful compliance partner for clients and prospects but will also improve your own security. Immediate steps that you can take include:

11

12

Review any gaps in technology usedWhen was the last time you checked to make sure that everything your staffers use is patched? Have you considered new solutions that may be safer or more efficient for internal use? Conduct a thorough review of the hardware, software and cloud solutions that power your business and address any gaps that may have arisen as the business has evolved.

Evaluate your internal teamsEnsure that everyone is playing with the same security and compliance rules internally by establishing a formalized internal governance team or dedicated security staff to enforce them. This is also an essential provision against insider threats. Both malicious acts and unintentional blunders are more quickly detected and addressed when everyone knows that someone is keeping an eye on things.

Provide a dedicated work laptop While allowing workers to utilize their own devices by establishing BYOD policies can be a great way for businesses to save money, it can also be hazardous to your security by leaving you open to intrusion through weak device security or malware infections. By regulating the use of devices within your business, you will also be able to regulate the security compliance of those devices and their users. Providing staffers with a consistent style of laptop also enables better endpoint security control.

Add multifactor authentication (MFA) for all usersMost major data privacy regulations, including HIPAA, PCI-DSS, CJIS and FFIECC, require multifactor authentication to protect systems and data from intrusion by unauthorized users. Considered a universal cybersecurity best practice, utilizing MFA in-house shows your clients that you’re building a strong security culture while stopping the most common cyberattacks from impacting your business.

LAPTOP

How To Develop Your Compliance ProgramsUtilize internal data to transform your compliance programs from being a reactive measure to a fully-fledged preventative solution.

Depending on the regulations that apply to you, take a look at the prescription and the framework, and then apply it towards your organization.

“Take the highest level of privacy awareness and concern that you might need to maintain and apply it across your framework to give you an edge in supporting clients that conduct international business.”

Look for the common denominator in regulatory frameworks and use that metric as a measuring stick to determine your readiness to secure everything for all clients, both present and future.

Examine other countries’ regulatory guidelines, regardless of whether you operate abroad or not, to determine what other benchmarks you should consider in your programs.

By maintaining compliance with the minimum level of common requirements, you can increase client confidence by demonstrating your awareness of the importance of remaining ahead of the compliance curve.

13

C H A P T E R The Importance of Following Data Privacy Best PracticesCreating, implementing and enforcing strong data protection policies is a requirement to successfully navigate the pitfalls of not just your clients’ liability, but yours as well. IT providers are generally considered business associates in privacy regulations because they have access to other companies’ data. That puts your MSP in a position to be held liable in the event of a security breach. Putting carefully considered policies in place that conform to data privacy best practices is your best bet to mitigate that risk.

When defining your data privacy program, use a zero-trust framework. In zero-trust security, everyone must authenticate their identity to access resources on the network, including data and cloud solutions. No one is trusted by default from inside or outside the network, no matter their level of privilege.

A zero-trust approach also has a myriad of advantages in providing you and your clients with strong, dynamic security that maintains compliance with common regulations. While keeping that philosophy in mind, consider other ways that you can maintain compliance, like adopting and enforcing data privacy best practices.

4

“In zero-trust security, everyone must authenticate their identity to access resources on the network, including data and cloud solutions.”

14

Adding Multifactor Authentication (MFA)Secure identity and access management that includes multifactor authentication is the cornerstone of zero-trust security. Authenticating every user’s identity every time they log in takes the power out of a phished, cracked or stolen password. Not only is this powerful tool universally recommended by experts because it stops almost all password-based cybercrime, it is also a compliance requirement under most common data privacy regulations, including HIPAA, PCI-DSS, CJIS and FFIECC.

Extend Communication SurveillanceCommunications now occur across an increasing number of applications and devices. Effectively covering all applications was a challenge for compliance teams previously, but with remote workforces blending work and personal time at home, the challenges are magnified. Legacy solutions and approaches often monitor one or few channels for misconduct. Surveillance must extend from just emails to numerous data streams across text, video conferencing and phone calls.

Use Compliant Software ToolsIf you’re using applications that aren’t compliant, you’re leaving your business open to disaster. Even a single incident that ends in a data breach or data leak is likely to cost you a fortune, lose you customers and harm your business reputation. Outmoded software tools also cost you money by requiring unnecessary payroll hours on a fussy manual security policy configuration. Plus, if you’re eyeing expansion, being compliant with the relevant data security regulations in an industry gives you an excellent marketing tool that gains you more trust with prospects and demonstrates your competence instantly.

Beneficial Data Privacy Best Practices

15

16

Use Machine Learning to Inform Human Learning Currently, compliance teams will assess the latest regulations, incorporate them into their programs and offer training to ensure employees understand the rules and abide by them. However, this doesn’t address the actual compliance deficiencies within an organization. Compliance training is set to be revolutionized in 2021 by putting data at the heart of training programs. Analyzing alerts from compliance surveillance tools allows them to triangulate issues that occur and identify compliance hotspots. This analysis can also be used to find and fix security gaps before they become security disasters.

Invest in Compliance Cloud TechnologyFlexibility of operations has been a key factor in organizations moving more operations to the cloud. Cloud-based solutions are modern essentials that provide ease of access for a distributed workforce and reduce internal maintenance costs. Rapid deployment and easy adjustments enable businesses to operate with greater agility, helping them scale up or down quickly and seamlessly integrate new solutions as needed in a flash. The cloud also removes the logistical headache of increasing storage when compiling vast amounts of data.

Develop Specific Work-From-Home Policies Workforce flexibility is another evolving situation that impacts compliance, especially when faced with operational challenges. Companies that rely on workplace security by restricting off-site access have found that this method leaves them vulnerable to productivity loss if everyone cannot be in the physical office. In a crisis, there’s no time to develop and apply new processes to make it possible for staffers to work from home while maintaining adherence to relevant regulations. Businesses must adjust their compliance processes accordingly, ensuring that they are ready to operate seamlessly regardless of where their employees are working.

Ensure compliance success for a remote or hybrid workforce by concentrating on four key areas.

1. Audit your compliance practices, policies and procedures to ensure they address regulatory obligations for employees working from home.

2. Provide suitable training related to security and applications containing sensitive information.

3. Assess systems for vulnerabilities thoroughly and ensure content from all key communication channels is being ingested for analysis.

4. Increase the level of engagement with everyone that is working remotely to reduce the potential of malicious insider threats and ensure your staff is able to quickly obtain guidance or assistance if they make a mistake.

17

C H A P T E R

5 Consequences of Non-ComplianceThe consequences of failing to comply with both legal requirements and data protection best practices are grave. Both your business and your clients’ business will be negatively impacted by the financial, legal and reputational fallout of a data privacy disaster caused by failures in compliance. Potentially negative consequences include:

18

19

Destabilizing your business: Beyond losing clients, compliance failures that lead to a data breach can cost you everything. An incident like a data breach is not just costly up front. Investigation, remediation and recovery will also have to be paid for, which is one reason why 60% of companies go out of business following a data breach.

Lawsuits: A data breach doesn’t only affect the breached organization. It also impacts associated employees, consumers, customers, partners and service providers, and any of those affected parties may decide to take expensive legal action.

Regulatory scrutiny: A breach of consumer data risks action by regulators and entities like the Federal Trade Commission (FTC), who can not only levy a hefty fine but also require expensive annual compliance audits for years following the negligent behavior.

Loss of business: Clients in most major sectors are required to maintain certain data privacy standards. If your MSP fails at compliance internally, your customers won’t trust you to maintain their compliance and will move on to the competition.

Massive fines: In 2020, fines on violations of GDPR increased by up to 40% year-over-year when compared to 2019. In the U.S., data privacy fines skyrocketed by 141% per cent in the same period, with penalties totaling $10.4 billion.

Property damage: Failure to maintain compliance to data protection best practices opens your business up to physical risk as well. Malware like ransomware can render computers, servers and other technology systems inoperable, requiring expensive replacements.

Falling victim to cyberattacks: Many compliance regulations are built on a foundation of cybersecurity best practices. Failure to follow them leaves businesses ripe for cybercriminal exploitation. In today’s record-breaking cybercrime landscape, that isn’t something anyone can afford.

Maintaining compliance can be tricky, but there are tools that can help you make sure that your business is covering all of the bases for yourself, your employees and your clients. Let the experts at IT Glue guide you as you implement a successful compliance program fast.

See how IT Glue can help with your compliance program with a free demo.

Download our Compliance Checklist now Get a free demo

20