Solar winds: GDPR

Honesty may not be the first word that comes to mind concerning the current feeding frenzy around the General Data Protection Regulation (GDPR)

Foreword

At a time when some messaging around the new, EU-wide data protection rules is verging on hysteria, CRN and sister publication Channelnomics Europe has conducted a Europe-wide study designed to cut through the hype and uncover how resellers and MSPs genuinely feel about GDPR. Do they view GDPR as a gilt-edge sales opportunity, or just a payday for lawyers? How far down the road to compliance are they themselves, and how well-equipped do they feel advising customers on GDPR ahead of its advent on 25 May, 2018? Are they ready to handle some of the GDPR’s core components, such as the right to request the deletion or removal of personal data? And do those on the front line of IT delivery feel the new regime, which represents the biggest shake-up to EU data protection rules since the 1990s, will have teeth? The study questioned over 250 executives at resellers, MSPs, consultancies and other channel firms in the UK, Germany, France, the Netherlands and Italy in August 2017. Respondents were asked to supplement the tick-box survey with detailed written feedback, and many gave GDPR both barrels. This was complemented by a survey of over 140 IT leaders and UK end users, designed to assess how ready they are for GDPR and what help—if any—they will be seeking from IT suppliers around becoming compliant. The majority of resellers and MSPs questioned do see GDPR as at least a modest sales opportunity. But this is offset by caution around the challenges GDPR presents for their own business, a recognition that it is first and foremost a legal challenge (vs technical), and a feeling that the regulation is both overhyped and confusing. That said, it is clear from the findings of this study that GDPR will enable those who get their heads around the new rules to re-ignite conversations around data protection and cement their trusted advisor status.

80%

78%

42%

85%

34%

92%

87%

83%

77%

Genetic records

A computer IP address

Posts on social network sites

Medical histories

Banking details

Biometric data

Email addresses

Photographs of people

Names

Fig 8: What do you believe to be considered personal information under GDPR ? (UK end users)

80%

64%

87%

42%

97%

83%

82%

Genetic records

A computer IP address

Posts on social network sites

Medical histories

Banking details

Biometric data

Email addresses

Photographs of people

Names

13%

25%

38%

18%

Don't know

It will be fairly toothless in practice

They will make an example of a few big firms, but most firms will be under its radar

It will have teeth, but not to begin with. Non-compliers will probably be safe for a year or two

It will have real teeth, and firms should ensure they are fully compliant from day one

Fig 5: To what extent do you feel GDPR will have teeth? (all five countries)

12%

29%

43%

Don't know

It will lead to the biggest uplift in security and storage spending for years

To a significant extent – it is a key driver for security and storage spending among customers

To a limited extent – it is just one of many drivers for security and storage spending among customers

Not at all

Fig 7: What do you believe to be considered personal information under GDPR? (Channel)

Fig 4: To what extent do you expect GDPR to boost security and storage spending among your customer base? (all five countries)

12%

35%

22%

24%

What is GDPR?

Primarily just a headache

An opportunity and potential headache in equal measure

Not a huge sales opportunity, but a chance to cement relationships with customers

A huge windfall in terms of potential extra technology and consultancy sales

Fig 3: How do you view GDPR generally in terms of the opportunities and challenges it represents for your business? (all five countries)

Don't know

Yes, to a limited degree

It will have no impact on our marketing strategy

17%

15%

45%

23%

Yes, very much so

Fig 6: Given the stricter regulations GDPR will impose around collecting consent for email marketing, do you expect social media to become a more important platform for your firm's marketing strategy after May 2018? (all five countries)

Fully

To a limited extent

To a great extent

26%

36%

10%

20%

10%

20%

46%

24%

Not at all

Don't know/ haven't heard of GDPR

We have completed our preparations and fully tested our compliance with GDPR

We are in the process of implementing detailed plans to ensure GDPR compliance by the May 2018 deadline

We have detailed plans, but have yet to put them into practice

We’ve talked about it, but done nothing concrete so far

Fig 2: To what extent do you feel qualified to give customers technology advice around GDPR compliance? (all five countries)

Fig 1: What plans and preparations has your own business made for GDPR? (all five countries)

“We are receiving a wide range of requests for assistance in completing questionnaires and compliance forms from customers in relation to their GDPR status. These emanate from their accounting or legal firms or in some cases from their external suppliers. It is an area in which MSPs certainly play a part as in many cases we are a data processor for those clients.” Edel Creely, Group Managing Director, Trilogy Technologies

“We’ve all got a part to play in the execution of this. But if anyone thinks they’re going to walk in and solve a GDPR problem for one of their clients, and sign a contract on the back of it that says you are now GDPR compliant, good luck.” Richard Lockey, UK Country Manager, Crayon

Are resellers and MSPs ready for GDPR?

Conclusion

The vision of an IT sales industry ready to make hay from GDPR appears to be wide of the mark. The findings of this research demonstrate that IT suppliers neither feel fully ready for 25 May, 2018 themselves, nor fully confident about helping their customers get up to speed. They also see GDPR causing upheaval in both their marketing strategies and contracts with customers. However, it is clear from the UK end-user research conducted in parallel with the five-country IT supplier study (see ‘end-user findings’ section), that a substantial minority of end users are looking for guidance on GDPR from their tech suppliers. GDPR may be primarily a legal issue, but technology has an enabling role to play. A quarter of end users’ questions indicated they are looking for advice, as well as extra technology, from IT suppliers as they look to get up to speed. In other words, these findings suggest that end users will require more technology guidance on GDPR than the channel is ready to provide at this juncture. While GDPR may not be a cash cow, smart resellers, MSPs, and consultancies will step up to fill this void, thereby cementing their status as trusted advisors.

Getting personal

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural (i.e., living) person. Its definition of personal data is more detailed than current data protection laws, making it clear that information such as an online identifier—e.g., an IP address—can be personal data. However, wherever you look, there is no definitive list of what does and doesn’t qualify under the new rules. There were therefore technically no right or wrong answers when we asked both the channel (see figure 7) and UK end-user respondents (see figure 8) about their views. That said, the responses demonstrate a high level of awareness of GDPR’s broadened scope.

Will GDPR force resellers to rethink sales and marketing?

We also asked respondents whether GDPR will force them to rewrite customer contracts and, again, the answer was overwhelmingly ‘yes’. In the UK, 64 per cent said it would to at least a limited extent, with the equivalent figures in Germany, France, Italy and the Netherlands standing at 56, 47, 59 and 71 per cent, respectively.

Among other things, GDPR is designed to minimalise the more intrusive sales and marketing practices citizens across the EU’s 28 member states are currently subjected to. IT suppliers are not immune to this crackdown, and the vast majority of respondents questioned said the stricter regulations the GDPR will impose around collecting consent will make social media a more important platform for their marketing strategy (see figure 6). In the UK, 71 per cent said they would shift to social to at least a limited degree, with the equivalent figures in Germany, France, Italy and the Netherlands standing at 61, 64, 61 and 74 per cent, respectively.

Will GDPR have teeth?

GDPR has been billed as ‘data protection on steroids’, and certainly raises the bar on the previous patchwork of data protection regulations currently in force around Europe, including the UK’s 1998 Data Protection Act—introduced the same year Google was founded. Organisations dealing with EU citizens’ data must, from 25 May, 2018, among other things, gain consent from customers to process their data, be able to remove that data in some instances where the customer requests it, and report data breaches in a timely fashion. The maximum fines involved for non-compliance are now the greater of four per cent of global turnover or €20m. GDPR certainly sounds tough on paper, but whether regulators across Europe will have the manpower to enforce it with real vigour is another question. Most IT suppliers have their doubts (see figure 5). In the UK, just 21 per cent said the GDPR ‘will have real teeth, and that firms should ensure they are compliant from day one’. The figure was similar or even lower in most mainland European countries (Germany: seven per cent, France: 23 per cent, Italy: 19 per cent, the Netherlands: eight per cent).

Do resellers see GDPR as a sales opportunity?

EXECUTIVE SUMMARY

When we asked to what extent they expected GDPR to boost security and storage spending among their customers, again respondents more often than not had fairly modest expectations (see figure 4). Only a small minority of respondents in the UK, France, and Italy (four, two, and two per cent, respectively) replied ‘not at all’. In the Netherlands and Germany—a country known for its tough stance on data protection and data privacy—the proportion was slightly higher (nine and eight per cent, respectively). In most countries, the most popular response was ‘to a limited extent’, with 46 per cent of UK and German, 44 per cent of French, 45 per cent of Italian and 28 per cent of Dutch respondents picking this option. When asked to break down where they expect spending increases to come, cloud storage, encryption and two-factor authentication were among the hotspots, alongside services such as risk assessments and network audits.

According to analyst International Data Corporation (IDC ), GDPR will fuel a $3.7B annual IT security spending bonanza. Rival analyst Canalys agrees, predicting that the European IT security market will enjoy a GDPR-induced bounce of 16 per cent in 2017. But, mirroring the findings of the previous section, the majority of resellers, MSPs, and consultancies are ambivalent about GDPR and the impact it will have on their order books. We asked reseller respondents how they viewed GDPR generally, in terms of the opportunities and challenges it represents for their business. Relatively few suppliers across Europe think it will provide a ‘huge windfall’, although the percentage was higher in France, the UK and the Netherlands (26, 24 and 23 per cent, respectively) than in Germany (11 per cent) and Italy (12 per cent).

Probing deeper into one important aspect of the GDPR, we asked how easily respondents could remove their clients’ personal data. Depending on the country, between a quarter and just over a half admitted it would be either ‘somewhat’ or ‘extremely’ difficult to fill this requirement as their business stands. In Germany, the figure was as high as 55 per cent, with the UK figure standing at 26 per cent.

A significantly higher proportion (UK: 30 per cent, Germany: 10 per cent, France: 15 per cent, Italy: 12 per cent, the Netherlands: 24 per cent) said they had so far done “nothing concrete” towards becoming compliant. That said, most IT suppliers are at least on the road to compliance. The highest proportion of respondents in each country said they are in the process of implementing GDPR compliance plans (UK: 43 per cent, Germany: 51 per cent, France: 18 per cent, Italy: 20 per cent, the Netherlands 33 per cent). A sizeable proportion of channel firms also feel poorly equipped to offer technology advice around GDPR compliance, the study found (see figure 2).

From 25 May, 2018, any firm operating in the EU (or that handles the personal data of people who reside in the EU) will face fines of up to €20m — or four per cent of global turnover — if they fail to comply with the GDPR. But with less than a year to go, just three per cent of UK IT leaders questioned in our end-user research said they had completed their preparations and fully tested their compliance with GDPR (see ‘end-user findings’ section for more). Perhaps surprisingly, the figure is barely higher among the UK, German, French, Italian and Dutch IT suppliers questioned (see figure 1), many of whom will find themselves subject to the new rules not only as data controllers, but also as data processors. In the UK, just seven per cent of respondents said they had completed their preparations for GDPR. The results were similar for Germany (seven per cent), France (nine per cent), Italy (four per cent) and the Netherlands (11 per cent).

Edel Creely Trilogy Technologies

Dan Sharp, Mirus IT Solutions

John-Paul Norman, Amicus ITS

Click to enlarge

More UK survey results

Key UK survey results

“We’ve seen these feeding frenzies in the past and it doesn’t do anyone any credit… The challenges now come around some of the obligations to demonstrate compliance. I think we will take as much time reviewing what we’re doing and documenting what we are doing so we can communicate it better to our clients to help them meet their own obligations—renewed privacy policies, renewed contracts, etc.” David McLeman, Ancoris

The UK

As the above quote demonstrates, there is a feeling among UK IT suppliers that GDPR is being over-hyped in Europe’s second-largest economy. This may partly explain why GDPR is viewed as a bigger sales opportunity in the UK than elsewhere, with 39 per cent of respondents believing it will ‘significantly’ boost security and storage spending among their customers—more than any country, barring the Netherlands. That said, very few UK IT suppliers feel they are in a position to take on the status of a trusted advisor around GDPR. Just eight per cent said they felt ‘fully qualified’ to give customers technology advice on becoming compliant, the joint least of any country, and only seven per cent have completed their own GDPR preparations.

Click to enlarge

More Dutch survey results

Ian Zein, Sentia

Ivo-Paul Tummers, Jibes

Eward Driehuis, SecureLink

Netherlands survey results

“Are Dutch organisations ready [for GDPR]? Mentally they are not, but they will crack it. Once they go for it they will go for the complete full package.” Ivo-Paul Tummers, Jibes

The Netherlands

The Dutch wasted little time getting their ducks lined up for GDPR, publishing a proposal for a Dutch GDPR Implementation Act in December 2016. It will replace the Dutch Data Protection Act on 25 May, 2018. Resellers and MSPs in the country appear to be just as organised. Some 11 per cent of Dutch respondents said they are fully compliant with GDPR, more than any other country, with a further 33 per cent on the road to becoming compliant. That said, only eight per cent said they felt fully qualified to give customers technology advice around GDPR, the joint lowest of any country. Dutch IT suppliers were also the most optimistic about the impact GDPR will have on their order books, with 41 per cent predicting it will fuel a ‘significant’ boost in security and storage sales, and a further 23 per cent viewing GDPR as a ‘huge windfall’ for them.

Click to enlarge

More German survey results

Kai Grunwitz, NTT Security

Carl Muehlner, Damovo

German survey results

“I truly believe that Germany is in a different situation than most other European countries. Germany has for a long time had a culture of data protection... So in a way, European law is getting up to the standard of German law.” Carl Muehlner, Managing Director, Central Region, Damovo

Germany

As the above comment indicates, Germany is known for its hard line on data privacy and protection, and some intriguing patterns emerge when looking at how German resellers and MSPs view GDPR compared with their peers across Europe. By and large, German respondents feel they are further down the road to becoming GDPR-compliant themselves than their European counterparts (51 per cent said they are in the process of becoming compliant, higher than anywhere else). Perhaps in a reflection that German end users are also better prepared for GDPR than elsewhere, most German IT suppliers view GDPR as only a modest sales opportunity. Just 11 per cent of the 44 firms questioned characterised it as a ‘huge windfall’, less than all four other countries studied. That said, most German MSPs feel they have a lot of work to get up to speed for 25 May. Only ten per cent felt they were fully qualified to give their customers technology advice around GDPR. Meanwhile 55 per cent admit it would be either ‘somewhat’ or ‘extremely’ difficult for them to remove clients’ personal data, a core aspect of GDPR.

Click to enlarge

More French survey results

Jérôme Etienne and Stéphane Caranobe, ITS Group

Romain Danielou, Devoteam

French survey results

“[GDPR] will push our customers to be more innovative and to accelerate and shift the way they are tackling user experience.” Romain Danielou, Devoteam

France

Of all the MSPs and resellers included in this study, those in France seemed generally the least clued up on GDPR. ‘Je ne sais pas’ proved to be a popular option for many of the questions, more so than in the other four countries studied. More than a quarter of respondents admitted they hadn’t heard of GDPR, while 41 per cent said they didn’t know how far their own firms were along their GDPR journey. Just 28 per cent said they had either completed, or were in the midst of, their preparations for GDPR. Over half of French respondents (53 per cent) felt they were ‘not at all’ qualified to give customers technology advice around GDPR compliance, compared with 12 per cent in the UK.

Click to enlarge

More Italian survey results

Alberto Fenini and Marco Coppolino, Consys

Marco Lucchina, Elmec

Italian survey results

“We think [GDPR] will definitely be an opportunity to provide support to our customers in getting compliant.” Alberto Fenini, Consys

Italy

Countries in southern Europe are perceived in some quarters as traditionally having less stringent data protection and privacy regimes than those further north. And it appears to be the case that fewer resellers and MSPs in the ‘boot of Europe’ are ready for GDPR than elsewhere. Only four per cent of Italian respondents said they had completed preparations, with a further 20 per cent in the process of becoming compliant, the lowest of all the countries surveyed. Despite this, Italian respondents do view GDPR as a bigger sales opportunity than some other countries. Some 31 per cent said they expect the new regulation to provide at least a 'significant' boost to their security and storage sales, less than the UK and the Netherlands, but more than France and Germany.

Fig 8:

Fig 7:

Fig 6:

Fig 5:

Fig 4:

Fig 3:

Fig 2:

Fig 1:

END-USER FINDINGS

The findings of the end-user survey reinforce the impression that end users see GDPR as primarily a legal/governance issue by end-users. Many feel they won’t need any help from IT suppliers at all. That said, the majority will be calling on resellers to help them plug technology gaps at the very least, while a significant minority – roughly a quarter – will require deeper guidance, signalling a clear trusted advisor role for the channel.

Finally, we asked our end users about both the preparations they have made for GDPR so far, and how confident they are that their firm will be GDPR-compliant by 25 May, 2018 (see figure 6 and 7), as well as whether they think the new rules will have teeth (see figure 8).

Unsurprisingly, governance and compliance was cited as the central GDPR command hub by the highest number of respondents (49 per cent). The IT department was a distant second on 24 per cent (see figure 5).

Additionally, end-user respondents were quizzed on what aspects of GDPR they see as being hardest to comply with (see figure 4). The right to erasure emerged as the top option by far, with 61 per cent picking it out as a top concern.

The top five technology areas IT leaders said they have dedicated, or will dedicate, additional investment to in order to become compliant were risk assessments (36 per cent), cloud/online backup and recovery (31 per cent), encryption (30 per cent), storage (29 per cent) and mobile device management (26 per cent) (see figure 3).

Mirroring the findings of the previous question, when asked what changes they are or will be making to comply with GDPR, a quarter of respondents said they would be seeking third-party legal or technical help (see figure 2). Some 35 per cent also said they would be reviewing their partners’ use of personal data.

Alongside the pan-European channel study, CRN also surveyed over 140 UK IT decision makers about their feelings towards GDPR, particularly in relation to what they are seeking from their IT suppliers. It is often said that IT will play just an enabling role in GDPR compliance, and this sentiment was perhaps reflected in the modest part most end users expect IT suppliers to play in their GDPR plans. More than a quarter said they will require no support at all from IT suppliers, either because they are already fully compliant, or because they feel they have it covered internally. The good news is that the majority do see at least a limited role for IT suppliers (see figure 1), with about a quarter seeking fairly deep involvement from them.

This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information. © 2017 SolarWinds MSP UK Ltd. All rights reserved.

Resellers on whether their role will help clients comply with GDPR

We've seen a massive spike in information requests about GDPR this year and have produced extensive guidance for our industry. We've already seen an uptick in sales and have invested heavily in a platform solution to help our clients with things like consent management, RTBF requests, and the like. Internally our challenges are finding the time to finish our own compliance around all the work we're doing for our clients, but we'll get there. Operations director, full lifecycle solution supplier Unfortunately, many ‘experts’ do not actually give an accurate/complete picture of GDPR scope and implications—much of our initial consultative role is to debunk inaccurate info that clients have taken as true. CEO/MD, MSP Our business deals with personal data for certain clients so I think the biggest challenge for us will be collaborating with them to help them understand their own responsibilities when they are either controllers, processors or both. Communication around these issues will be key to maintaining good relations, confidence and indeed reputation of both parties. Planning and insight, MSP It’s a very significant shift, and we have been briefed at a high level on the impacts. CEO/MD, consultancy

Resellers on whether GDPR is being over-hyped

The industry is now dramatically over-hyping GDPR; it feels like Y2K all over again. Sales/commercial director, cloud services provider It's the new 'AI'; everyone is appending a GDPR-compliant tag to their products, which is muddying the waters for everyone. C-level role, reseller/VAR I do think GDPR has been over-hyped, but there is little to no information available to explain the process. I also feel the vendors are attempting to play up a scare tactics approach to customers. Is there a government grant available to SMB to comply with GDPR or will a fine suffice? Sales/commercial director, reseller/VAR GDPR has not been covered enough in the media. A lot of people are still not aware of it and it will affect almost all companies in some form. C-level role, reseller/VAR

Resellers on whether the GDPR will have teeth

Everyone knows it’s a potential issue, but most are sceptical about it because of the ‘hype’ factor. Having been to events recently, most of the market believes there will be a period of grace. Marketing director/CMO, consultancy I believe that the GDPR will be a game changer for personal data security. I believe that customers have, and will continue to become, more savvy about the personal data and if a company disregards the trusted position they are being put in as the custodian of personal data then they are going to be severely stung. Companies are starting to wake up to the issue, but there is definitely a challenge arising in getting companies to realize the enormity of the situation sooner rather than later. Senior manager, consultancy Once the teeth that the legislator has become apparent, it will be taken more seriously. CFO, managed services provider

Resellers on whether GDPR will boost sales

My role is based around backup and DR software so I have seen the level of interest in the product increase in recent months and I believe this will continue. GDPR is of key interest and this will continue to grow before May next year. Sales/commercial director, distributor It's proving a good commercial opportunity for us. I think the spike will come in the next three months. CEO/MD, consultancy It’s still very unclear if this is going to be a channel changer for us in the VAR world, or more a new line of business for commercial insurance. Sales executive, reseller/VAR If I was an IT buyer, I would probably be sick of people calling me about GDPR. Hence I doubt its usefulness as a new business tactic. Sales executive, reseller/VAR It will force customers to look at security more seriously and will spike later this year, I would think before Christmas. Sales executive, reseller/VAR Over-hyped; no boost to our sales, just something to manage internally. Sales executive, outsourcing firm

The GDPR detractors

It's the next Y2K. Likely to be a colossal waste of time and money because the regulations won't be enforced in any meaningful way. Sales/commercial director, reseller/VAR The openness to interpretation is cause for concern to us. Until some test cases set precedent, it will be difficult to claim any company is 100 per cent compliant. I’m tired of hearing about GDPR. Sales/commercial director, distributor I’m tired of hearing about GDPR. C-level role, reseller/VAR

The GDPR fans

GDPR in your own words

The driver for increased data security will be visibility of public cyberattacks. GDPR compliance will come second to this, but the two together give marketing advantages. Sales/commercial director, MSP We see GDPR as an opportunity for organisations to streamline ambiguous processes using the right technology. Marketing director, cloud services provider GDPR is good news for the digital market as it brings some order to what has been a data free-for-all. GDPR is simply part of digital growing up. C-level role, consultancy Initially, it is about getting our house in order and making sure the policies and procedures are adopted through the workforce by undertaking proper training and education. For our customers, we want to be able to help them make good decisions around improving the accessibility of data in the event of a subject access or deletion request. Technical, reseller/VAR I think it is something that is necessary and needs to happen to protect the consumer. Aside from criminal investigation purposes, all have the right to know how their data is being held. Challenges will be for the marketing department, where we will need to verify information before we act upon any campaigns. Marketing executive, IT services

We asked IT suppliers across the five countries studied to (anonymously) give detailed written feedback on their thoughts on GDPR. Here are some of the highlights from UK respondents: