At IT Glue, we take your privacy very seriously and are proud to announce that our systems and processes are GDPR compliant.

Security and privacy have been designed into IT Glue from the start. After all, we’re protecting some of the most valuable information assets an MSP can have – including administrative credentials and documentation of client environments.

Some of the ways we protect your privacy include:

• We minimize the personal information we collect, and only do so with your expressed permission
• All our systems and data are hosted with a highly certified, Tier 1 hosting provider: Amazon Web Services
• EU customers may choose to be hosted in the EU zone
• Minimizing the number of data processors we use, and ensuring none of them have access to unnecessary data. All vendors who connect to our production system go through a stringent vendor management process.

As part of our SOC 2 certification process, we decided to go above and beyond the basic security controls to protect your privacy and data:

• We implemented PCI-DSS and ISO 27001-compliant controls and operating procedures
• Our controls and processes are tested annually as part of our ongoing SOC 2 compliance
• We perform regular independent testing exceeding PCI-DSS standards, including vulnerability scanning, penetration testing and internal audit
• All connections to IT Glue are encrypted

IT Glue partners own the data they store in IT Glue at all times. We only process that data as appropriate for the services provided.

If you have any questions about your privacy or the security of your data, including needing information on providing access or erasing your data, please contact: support@itglue.com

The post GDPR Compliance: How IT Glue Protects Your Privacy appeared first on IT Glue.

Background

The General Data Protection Regulation (GDPR) has been a topic of interest for the last year or so among organizations that collect or store personal data from residents of EU countries. The law will be enforceable beginning May 25, 2018. Here’s what you need to know right now:

• Your company probably has legal obligations under GDPR
• It does not matter where your company is located
• The penalties for non-compliance are severe

In a 2017 survey of outsourced IT service providers in the UK, 60% identified GDPR as the biggest challenge to organizational IT plans in the next 3 years. Even among European MSPs, readiness is incomplete. Among non-European MSPs, readiness for most is non-existent at this point. The time to get your MSP ready is now.

GDPR in a nutshell

The General Data Protection Regulation is the new data protection law enacted by the EU that comes into effect on May 25, 2018. The structure of GDPR is unique from other privacy laws in that it is the first data protection regulation that ensures individuals’ rights are paramount. GDPR applies to any company, anywhere, that collects or stores personal data about EU residents.

Does GDPR apply to you or your customers?

If you are a business that is not headquartered in the EU, how will you know whether you need to comply with these regulations? The answer is easy. If you fall under one of these three categories, you will have to comply:

1. If you have a physical presence in the EU
2. If you don’t have a physical presence but you offer products or services to EU residents
3. If you don’t offer products or services but you monitor EU residents’ online behavior

If you are an MSP that falls into one of these categories, you will have obligations under GDPR as a controller of data. If you do not fall into any of these categories but one or more of your customers do, you will have to comply because you will be considered a processor of data under GDPR requirements. These terms are pretty vague, so let’s unpack them a bit, to help you understand what obligations exist for each.

Controllers and processors

The difference between a controller and a processor is who has authority and makes decisions over the personal data that is being collected. If you have customers who are EU residents or companies, you are collecting and in control of that data directly. That makes you a controller under GDPR. If your clients are the ones who have customers who are EU residents or companies, but you are responsible for the storage and/or handling of that data, you are a processor under GDPR.

If you or your customers need to comply, what do you need to do now?

GDPR encourages a risk-based approach where you need to decide how to approach implementing safeguards and processes. Don’t forget that GDPR is not only about cybersecurity, but it is a framework that requires technological, legal and operational solutions to ensure compliance.

These are few of the things that you need to keep in mind:

• What kind of personal data is being collected? There are different “degrees” of sensitivity. The risk level is different if you are collecting an email address vs. collecting health data.
• Are you transferring data to a country outside of the EU? Is that country deemed adequate by the EU data protection authorities? If not, what safeguards do you have in place to ensure a satisfactory transfer and protection of personal data?
  Since you are an MSP, most likely you are processing personal data on the behalf of another company. You need to review your current agreements and ensure that they have the appropriate provisions that ensure that GDPR requirements are satisfied.
• Are you transparent at explaining to individuals what data you collect from them, how you use it, and for how long? Do you require their consent? If you do, you will need to record when they give you consent and equally as important if they take that consent away. For your customers, it’s most likely, you will have to help them with this.
• Do you need a Data Protection Officer? The data protection authorities are looking to establish a relationship with organizations that process EU residents’ personal data and to have someone “on the ground” to respond to requests from data subjects. It is recommended that your MSP has a structure in place to handle requests from regulatory bodies.

How to best prepare yourself and your clients to be ready for GDPR

It’s important to discuss GDPR with your clients, in order to determine what exposure and obligations you have.

• Understand your data. Identify and justify the purposes you are collecting it for, how long you are keeping it, where it resides and how sensitive it is.
• Work on your communication to individuals. Review your privacy notice and ensure it includes the information required by GDPR, provide specific information at the time of collection, ensure that you receive and document consent where needed.
• Review your processes to respond to individual requests. Ensure you are equipped to respond to requests to access, modify, delete, take away or stop processing data within 30 days.
• Review third-party contracts. Ensure that your contracts with the organizations with which you exchange data incorporate GDPR principles into their language.
• Adopt a data protection by design culture. Ensure that reviews of data protection requirements happen up front when developing a new product or service. Perform data protection impact assessments. Create awareness in your organization of data protection principles.
• Develop a clear protocol for incident response. Be trained, and equipped with SOPs to handle privacy breaches.
• Identify your Lead Data Protection Authority. Designate a Data Protection Officer who can be the main point of contact for regulatory agencies on matters of data privacy. Ensure that your DPO is familiar with GDPR best practices.

GDPR as a business opportunity

GDPR is an ongoing obligation for both you and your clients. The reality is that outside of Europe, very few MSPs are going to be fully capable of helping their clients meet GDPR requirements. There is an opportunity to gain first-mover advantage by developing an understanding of GDPR requirements, and how to build them into your clients’ IT environments. From cookies to encryption to data protection to having the ability to scrub data on demand, there are several different things your clients will need from you in order to be compliant. The more you can offer, the bigger the opportunity you’ll have to build new client relationships and strengthen existing ones.

IT Glue and GDPR

• IT Glue acts as a data processor for its clients. We’ve mapped out everywhere your data exists and how it moves throughout our systems.
• We’ve taken a very deliberate approach to respecting our clients’ privacy. We only collect the data we need at any point to provide the promised services.
• We categorize the data we collect and receive in two ways: Personal Data and Subscriber Data.
• We only collect the minimum required Personal Data. This includes your registration information and email addresses for user provisioning. Other Personal Data, such as IP addresses, are collected in our logs for troubleshooting and audit purposes.
• Subscriber Data, the data about your customers you upload and enter into IT Glue, is yours. While we maintain it for you, you maintain its security and privacy at all times. Subscriber Data is only shared with 3rd parties if you enabled any integrations through IT Glue.

As both Personal and Subscriber data is yours, we honor any requests to remove data from our systems. Simply email support@itglue.com and we will fulfill your requests. Further information about IT Glue’s security and privacy can be found in our security whitepaper and our privacy policy.

To learn more about preparing your MSP for GDPR, contact Kirke Management Consulting at https://kirke-consulting.com/

To learn how to increase your value as a trusted security advisor for your clients through GDPR and more, check out our popular SECaaS webinar.

Author: Ale Brown,
Founder and Principal Consultant, Kirke Management Consulting
604.787.3230
abrown@kirke-consulting.com

With assistance from:
Mike Knapp
Partner, Incrementa
mknapp@incrementa.ca

Editor:
Joshua Oakes
IT Glue
joakes@itglue.com

The post What MSPs Need to Know about GDPR appeared first on IT Glue.

IT Glue

About the EU Cloud

Our new EU Cloud will be hosted by Amazon Web Services (AWS) in Frankfurt. If you are a new or existing IT Glue partner, you can choose from either a US or EU cloud to host your data.

What’s more, this new data centre allows EU-based providers to meet GDPR provisions with respect to third-country hosting prior to their coming into effect in May, 2018.

According to IT Glue CEO, Chris Day, “Having EU cloud storage for our European partners further strengthens IT Glue’s footprint as a global leader in the documentation market.” Day adds, “We put a lot of energy into bringing our EU Cloud to life with the highest level of security standards and I am thrilled to finally be offering it to our European partner base.”

IT Glue’s Managing Director, EMEA, Phil Sansom, sees the EU Cloud as an essential addition. “The EU Cloud is great news for our European MSP partners,” says Sansom. “Along with our rapidly expanding EMEA team, based in Reading, UK, the launch of our EU Cloud is a testament to our commitment to the success of our European partners.”

FAQ

I’m not with IT Glue yet, but this changes things. To whom do I speak?

You may contact our UK office at +44 203 769 4300 or our head office in Vancouver at +1-844-235-GLUE [4583]. You can set up your account for the EU Cloud when you sign up.

I want to move my data to the Germany-based cloud. How do I do that?

Existing IT Glue partners who are interested in migrating their data to the new EU Cloud can schedule a data migration by contacting IT Glue’s Partner Support team. We will be contacting all of our EMEA partners when we are ready to begin the transfer process.

Are data transfers secure?

Absolutely. Our development team has placed special emphasis on building a secure transfer service to ensure full security compliance during the data migration.

I’m in Australia/New Zealand/South Africa/Canada – does this affect me?

All partners have the option of migrating to the EU Cloud. If this makes sense for you operationally, you are more than welcome to schedule a migration. Otherwise, nothing changes for you.

I’m in the US. Does this affect me?

Not really. Your data will continue to be hosted by Amazon Web Services in the US. You have the option of migrating to Europe, but it is unlikely that this would make sense for you.

Yes, sign me up for a demo!

IT Glue is the world’s leading IT documentation software for MSPs. We want to make your journey to documentation excellence and peace of mind easier, so we provide an extension array of informational resources to help your team document more easily. From our Knowledge Base to the IT Glue Library, to our amazing Partner Support team, IT Glue has your back as you travel the road to documentation mastery.

The post IT Glue Launches New EU Cloud appeared first on IT Glue.