Honesty may not be the first word that comes to mind concerning the current
feeding frenzy around the General Data Protection Regulation (GDPR)
At a time when some messaging around the new, EU-wide data protection rules is verging on hysteria, CRN and sister publication Channelnomics Europe has conducted a Europe-wide study designed to cut through the hype and uncover how resellers and MSPs genuinely feel about GDPR.
Do they view GDPR as a gilt-edge sales opportunity, or just a payday for lawyers?
How far down the road to compliance are they themselves, and how well-equipped do they feel advising customers on GDPR ahead of its advent on 25 May, 2018? Are they ready to handle some of the GDPR’s core components, such as the right to request the deletion or removal of personal data?
And do those on the front line of IT delivery feel the new regime, which represents the biggest shake-up to EU data protection rules since the 1990s, will have teeth?
The study questioned over 250 executives at resellers, MSPs, consultancies and other channel firms in the UK, Germany, France, the Netherlands and Italy in August 2017. Respondents were asked to supplement the tick-box survey with detailed written feedback, and many gave GDPR both barrels.
This was complemented by a survey of over 140 IT leaders and UK end users, designed to assess how ready they are for GDPR and what help—if any—they will be seeking from IT suppliers around becoming compliant.
The majority of resellers and MSPs questioned do see GDPR as at least a modest sales opportunity. But this is offset by caution around the challenges GDPR presents for their own business, a recognition that it is first and foremost a legal challenge (vs technical), and a feeling that the regulation is both overhyped and confusing.
That said, it is clear from the findings of this study that GDPR will enable those who get their heads around the new rules to re-ignite conversations around data protection and cement their trusted advisor status.
A huge windfall in terms of potential extra technology and consultancy sales
Fig 5: To what extent do you feel GDPR will have teeth? (all five countries)
An opportunity and potential headache in equal measure
It will have teeth, but not to begin with. Non-compliers will probably be safe for a year or two
We’ve talked about it, but done nothing concrete so far
To a limited extent
Fig 1: What plans and preparations has your own business made for GDPR? (all five countries)
To a significant extent – it is a key driver for security and storage spending among customers
It will be fairly toothless in practice
Posts on social network sites
Will GDPR force resellers to rethink sales and marketing?
Among other things, GDPR is designed to minimalise the more intrusive sales and marketing practices citizens across the EU’s 28 member states are currently subjected to.
IT suppliers are not immune to this crackdown, and the vast majority of respondents questioned said the stricter regulations the GDPR will impose around collecting consent will make social media a more important platform for their marketing strategy (see figure 6).
In the UK, 71 per cent said they would shift to social to at least a limited degree, with the equivalent figures in Germany, France, Italy and the Netherlands standing at 61, 64, 61 and 74 per cent, respectively.
“We’ve all got a part to play in the execution of this. But if anyone thinks they’re going to walk in and solve a GDPR problem for one of their clients, and sign a contract on the back of it that says you are now GDPR compliant, good luck.”
Richard Lockey, UK Country Manager, Crayon
We are in the process of implementing detailed plans to ensure GDPR compliance by the May 2018 deadline
A significantly higher proportion (UK: 30 per cent, Germany: 10 per cent, France: 15 per cent, Italy: 12 per cent, the Netherlands: 24 per cent) said they had so far done “nothing concrete” towards becoming compliant.
That said, most IT suppliers are at least on the road to compliance. The highest proportion of respondents in each country said they are in the process of implementing GDPR compliance plans (UK: 43 per cent, Germany: 51 per cent, France: 18 per cent, Italy: 20 per cent, the Netherlands 33 per cent). A sizeable proportion of channel firms also feel poorly equipped to offer technology advice around GDPR compliance, the study found (see figure 2).
According to analyst International Data Corporation (IDC ), GDPR will fuel a $3.7B annual IT security spending bonanza. Rival analyst Canalys agrees, predicting that the European IT security market will enjoy a GDPR-induced bounce of 16 per cent in 2017. But, mirroring the findings of the previous section, the majority of resellers, MSPs, and consultancies are ambivalent about GDPR and the impact it will have on their order books.
We asked reseller respondents how they viewed GDPR generally, in terms of the opportunities and challenges it represents for their business.
Relatively few suppliers across Europe think it will provide a ‘huge windfall’, although the percentage was higher in France, the UK and the Netherlands (26, 24 and 23 per cent, respectively) than in Germany (11 per cent) and Italy (12 per cent).
GDPR has been billed as ‘data protection on steroids’, and certainly raises the bar on the previous patchwork of data protection regulations currently in force around Europe, including the UK’s 1998 Data Protection Act—introduced the same year Google was founded.
Organisations dealing with EU citizens’ data must, from 25 May, 2018, among other things, gain consent from customers to process their data, be able to remove that data in some instances where the customer requests it, and report data breaches in a timely fashion. The maximum fines involved for non-compliance are now the greater of four per cent of global turnover or €20m.
GDPR certainly sounds tough on paper, but whether regulators across Europe will have the manpower to enforce it with real vigour is another question.
Most IT suppliers have their doubts (see figure 5).
In the UK, just 21 per cent said the GDPR ‘will have real teeth, and that firms should ensure they are compliant from day one’. The figure was similar or even lower in most mainland European countries (Germany: seven per cent, France: 23 per cent, Italy: 19 per cent, the Netherlands: eight per cent).
haven't heard of GDPR
Fig 4: To what extent do you expect GDPR to boost security and storage spending
among your customer base? (all five countries)
It will have no impact on our marketing strategy
Not at all
Fig 6: Given the stricter regulations GDPR will impose around collecting consent for email marketing, do you expect social media to become a more important platform for your firm's marketing strategy after May 2018? (all five countries)
Photographs of people
A computer IP address
“We are receiving a wide range of requests for assistance in completing questionnaires
and compliance forms from customers in relation to their GDPR status. These emanate
from their accounting or legal firms or in some cases from their external suppliers. It is
an area in which MSPs certainly play a part as in many cases we are a data processor
for those clients.”
Edel Creely, Group Managing Director, Trilogy Technologies
It will lead to the biggest uplift in security and storage spending for years
Yes, very much so
Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural (i.e., living) person.
Its definition of personal data is more detailed than current data protection laws, making it clear that information such as an online identifier—e.g., an IP address—can be personal data. However, wherever you look, there is no definitive list of what does and doesn’t qualify under the new rules.
There were therefore technically no right or wrong answers when we asked both the channel (see figure 7) and UK end-user respondents (see figure 8) about their views.
That said, the responses demonstrate a high level of awareness of GDPR’s broadened scope.
Fig 8: What do you believe to be considered personal information under GDPR ? (UK end users)
They will make an example of a few big firms, but most firms will be under its radar
Not at all
To a limited extent – it is just one of many drivers for security and storage spending among customers
To a great extent
The vision of an IT sales industry ready to make hay from GDPR appears to be wide of the mark. The findings of this research demonstrate that IT suppliers neither feel fully ready for 25 May, 2018 themselves, nor fully confident about helping their customers get up to speed. They also see GDPR causing upheaval in both their marketing strategies and contracts with customers.
However, it is clear from the UK end-user research conducted in parallel with the five-country IT supplier study (see ‘end-user findings’ section), that a substantial minority of end users are looking for guidance on GDPR from their tech suppliers. GDPR may be primarily a legal issue, but technology has an enabling role to play. A quarter of end users’ questions indicated they are looking for advice, as well as extra technology, from IT suppliers as they look to get up to speed.
In other words, these findings suggest that end users will require more technology guidance on GDPR than the channel is ready to provide at this juncture.
While GDPR may not be a cash cow, smart resellers, MSPs, and consultancies will step up to fill this void, thereby cementing their status as trusted advisors.
Yes, to a limited degree
Fig 3: How do you view GDPR generally in terms of the opportunities and challenges it represents for your business? (all five countries)
Photographs of people
Not a huge sales opportunity, but a chance to cement relationships with customers
Fig 2: To what extent do you feel qualified to give customers technology advice around GDPR compliance? (all five countries)
It will have real teeth, and firms should ensure they are fully compliant from day one
Posts on social network sites
Fig 7: What do you believe to be considered personal information under GDPR? (Channel)
We have completed our preparations and fully tested our compliance with GDPR
Are resellers and MSPs ready for GDPR?
Will GDPR have teeth?
We also asked respondents whether GDPR will force them to rewrite customer contracts and, again, the answer was overwhelmingly ‘yes’. In the UK, 64 per cent said it would to at least a limited extent, with the equivalent figures in Germany, France, Italy and the Netherlands standing at 56, 47, 59 and 71 per cent, respectively.
A computer IP address
We have detailed plans, but have yet to put them into practice
Do resellers see GDPR as a sales opportunity?
When we asked to what extent they expected GDPR to boost security and storage spending among their customers, again respondents more often than not had fairly modest expectations (see figure 4).
Only a small minority of respondents in the UK, France, and Italy (four, two, and two per cent, respectively) replied ‘not at all’. In the Netherlands and Germany—a country known for its tough stance on data protection and data privacy—the proportion was slightly higher (nine and eight per cent, respectively).
In most countries, the most popular response was ‘to a limited extent’, with 46 per cent of UK and German, 44 per cent of French, 45 per cent of Italian and 28 per cent of Dutch respondents picking this option. When asked to break down where they expect spending increases to come, cloud storage, encryption and two-factor authentication were among the hotspots, alongside services such as risk assessments and network audits.
Probing deeper into one important aspect of the GDPR, we asked how easily respondents could remove their clients’ personal data.
Depending on the country, between a quarter and just over a half admitted it would be either ‘somewhat’ or ‘extremely’ difficult to fill this requirement as their business stands. In Germany, the figure was as high as 55 per cent, with the UK figure standing at 26 per cent.
From 25 May, 2018, any firm operating in the EU (or that handles the personal data of people who reside in the EU) will face
fines of up to €20m — or four per cent of global turnover — if they fail to comply with the GDPR.
But with less than a year to go, just three per cent of UK IT leaders questioned in our end-user research said they had completed their preparations and fully tested their compliance with GDPR (see ‘end-user findings’ section for more).
Perhaps surprisingly, the figure is barely higher among the UK, German, French, Italian and Dutch IT suppliers questioned (see figure 1), many of whom will find themselves subject to the new rules not only as data controllers, but also as data processors. In the UK, just seven per cent of respondents said they had completed their preparations for GDPR. The results were similar for Germany (seven per cent), France (nine per cent), Italy (four per cent) and the Netherlands (11 per cent).
Click to enlarge
Key UK survey results
As the above quote demonstrates, there is a feeling among UK IT suppliers that GDPR is being over-hyped in Europe’s second-largest economy.
This may partly explain why GDPR is viewed as a bigger sales opportunity in the UK than elsewhere, with 39 per cent of respondents believing it will ‘significantly’ boost security and storage spending among their customers—more than any country, barring the Netherlands.
That said, very few UK IT suppliers feel they are in a position to take on the status of a trusted advisor around GDPR. Just eight per cent said they felt ‘fully qualified’ to give customers technology advice on becoming compliant, the joint least of any country, and only seven per cent have completed their own GDPR preparations.
“We’ve seen these feeding frenzies in the past and it doesn’t do anyone any credit… The challenges now come around some of the obligations to demonstrate compliance. I think we will take as much time reviewing what we’re doing and documenting what we are doing so we can communicate it better to our clients to help them meet their own obligations—renewed privacy policies, renewed contracts, etc.”
David McLeman, Ancoris
John-Paul Norman, Amicus ITS
Dan Sharp, Mirus IT Solutions
Edel Creely Trilogy Technologies
More UK survey results
Netherlands survey results
More Dutch survey results
Ian Zein, Sentia
Click to enlarge
The Dutch wasted little time getting their ducks lined up for GDPR, publishing a proposal for a Dutch GDPR Implementation Act in December 2016. It will replace the Dutch Data Protection Act on 25 May, 2018.
Resellers and MSPs in the country appear to be just as organised. Some 11 per cent of Dutch respondents said they are fully compliant with GDPR, more than any other country, with a further 33 per cent on the road to becoming compliant. That said, only eight per cent said they felt fully qualified to give customers technology advice around GDPR, the joint lowest of any country.
Dutch IT suppliers were also the most optimistic about the impact GDPR will have on their order books, with 41 per cent predicting it will fuel a ‘significant’ boost in security and storage sales, and a further 23 per cent viewing GDPR as a ‘huge windfall’ for them.
“Are Dutch organisations ready [for GDPR]? Mentally they are not, but they will crack it.
Once they go for it they will go for the complete full package.”
Ivo-Paul Tummers, Jibes
Click to enlarge
As the above comment indicates, Germany is known for its hard line on data privacy and protection, and some intriguing patterns emerge when looking at how German resellers and MSPs view GDPR compared with their peers across Europe.
By and large, German respondents feel they are further down the road to becoming GDPR-compliant themselves than their European counterparts (51 per cent said they are in the process of becoming compliant, higher than anywhere else). Perhaps in a reflection that German end users are also better prepared for GDPR than elsewhere, most German IT suppliers view GDPR as only a modest sales opportunity. Just 11 per cent of the 44 firms questioned characterised it as a ‘huge windfall’, less than all four other countries studied.
That said, most German MSPs feel they have a lot of work to get up to speed for 25 May.
Only ten per cent felt they were fully qualified to give their customers technology advice around GDPR. Meanwhile 55 per cent admit it would be either ‘somewhat’ or ‘extremely’ difficult for them to remove clients’ personal data, a core aspect of GDPR.
“I truly believe that Germany is in a different situation than most other European countries. Germany has for a long time had a culture of data protection... So in a way, European law is getting up to the standard of German law.”
Carl Muehlner, Managing Director, Central Region, Damovo
More German survey results
Kai Grunwitz, NTT Security
German survey results
Carl Muehlner, Damovo
Additionally, end-user respondents were quizzed on what aspects of GDPR they see as being hardest to comply with (see figure 4). The right to erasure emerged as the top option by far, with 61 per cent picking it out as a top concern.
Finally, we asked our end users about both the preparations they have made for GDPR so far, and how confident they are that their firm will be GDPR-compliant by 25 May, 2018 (see figure 6 and 7), as well as whether they think the new rules will have teeth (see figure 8).
Mirroring the findings of the previous question, when asked what changes they are or will be making to comply with GDPR, a quarter of respondents said they would be seeking third-party legal or technical help (see figure 2). Some 35 per cent also said they would be reviewing their partners’ use of personal data.
The findings of the end-user survey reinforce the impression that end users see GDPR as primarily a legal/governance issue by end-users. Many feel they won’t need any help from IT suppliers at all. That said, the majority will be calling on resellers to help them plug technology gaps at the very least, while a significant minority – roughly a quarter – will require deeper guidance, signalling a clear trusted advisor role for the channel.
Unsurprisingly, governance and compliance was cited as the central GDPR command hub by the highest number of respondents (49 per cent). The IT department was a distant second on 24 per cent (see figure 5).
Alongside the pan-European channel study, CRN also surveyed over 140 UK IT decision makers about their feelings towards GDPR, particularly in relation to what they are seeking from their IT suppliers.
It is often said that IT will play just an enabling role in GDPR compliance, and this sentiment was perhaps reflected in the modest part most end users expect IT suppliers to play in their GDPR plans.
More than a quarter said they will require no support at all from IT suppliers, either because they are already fully compliant, or because they feel they have it covered internally. The good news is that the majority do see at least a limited role for IT suppliers (see figure 1), with about a quarter seeking fairly deep involvement from them.
The top five technology areas IT leaders said they have dedicated, or will dedicate, additional investment to in order to become compliant were risk assessments (36 per cent), cloud/online backup and recovery (31 per cent), encryption (30 per cent), storage (29 per cent) and mobile device management (26 per cent) (see figure 3).
Resellers on whether GDPR is being over-hyped
This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.
The GDPR detractors
Resellers on whether GDPR will boost sales
Resellers on whether the GDPR will have teeth
The GDPR fans
The driver for increased data security will be visibility of public cyberattacks. GDPR compliance will come second to this, but the two together give marketing advantages. Sales/commercial director, MSP
We see GDPR as an opportunity for organisations to streamline ambiguous processes using the right technology. Marketing director, cloud services provider
GDPR is good news for the digital market as it brings some order to what has been a data free-for-all. GDPR is simply part of digital growing up. C-level role, consultancy
Initially, it is about getting our house in order and making sure the policies and procedures are adopted through the workforce by undertaking proper training and education. For our customers, we want to be able to help them make good decisions around improving the accessibility of data in the event of a subject access or deletion request.
I think it is something that is necessary and needs to happen to protect the consumer. Aside from criminal investigation purposes, all have the right to know how their data is being held. Challenges will be for the marketing department, where we will need to verify information before we act upon any campaigns. Marketing executive, IT services
Resellers on whether their role will help clients comply with GDPR
My role is based around backup and DR software so I have seen the level of interest in the product increase in recent months and I believe this will continue. GDPR is of key interest and this will continue to grow before May next year. Sales/commercial director, distributor
It's proving a good commercial opportunity for us. I think the spike
will come in the next three months. CEO/MD, consultancy
It’s still very unclear if this is going to be a channel changer for us in the VAR world,
or more a new line of business for commercial insurance. Sales executive, reseller/VAR
If I was an IT buyer, I would probably be sick of people calling me about GDPR.
Hence I doubt its usefulness as a new business tactic. Sales executive, reseller/VAR
It will force customers to look at security more seriously and will spike
later this year, I would think before Christmas. Sales executive, reseller/VAR
Over-hyped; no boost to our sales, just something to manage internally.
Sales executive, outsourcing firm
Everyone knows it’s a potential issue, but most are sceptical about it because of the ‘hype’ factor. Having been to events recently, most of the market believes there will be a period of grace.
Marketing director/CMO, consultancy
I believe that the GDPR will be a game changer for personal data security. I believe that customers have, and will continue to become, more savvy about the personal data and if a company disregards the trusted position they are being put in as the custodian of personal data then they are going to be severely stung. Companies are starting to wake up to the issue, but there is definitely a challenge arising in getting companies to realize the enormity of the situation sooner rather than later. Senior manager, consultancy
Once the teeth that the legislator has become apparent, it will be taken more seriously.
CFO, managed services provider
It's the next Y2K. Likely to be a colossal waste of time and money because the regulations won't be enforced in any meaningful way. Sales/commercial director, reseller/VAR
The openness to interpretation is cause for concern to us. Until some test cases set precedent, it will be difficult to claim any company is 100 per cent compliant. I’m tired of hearing about GDPR. Sales/commercial director, distributor
I’m tired of hearing about GDPR. C-level role, reseller/VAR
The industry is now dramatically over-hyping GDPR; it feels like Y2K all over again.
Sales/commercial director, cloud services provider
It's the new 'AI'; everyone is appending a GDPR-compliant tag to their products, which is muddying the waters for everyone. C-level role, reseller/VAR
I do think GDPR has been over-hyped, but there is little to no information available to explain the process. I also feel the vendors are attempting to play up a scare tactics approach to customers. Is there a government grant available to SMB to comply with GDPR or will a fine suffice?
Sales/commercial director, reseller/VAR
GDPR has not been covered enough in the media. A lot of people are still not aware of it and it will affect almost all companies in some form. C-level role, reseller/VAR
We asked IT suppliers across the five countries studied to (anonymously) give detailed written feedback on their thoughts on GDPR. Here are some of the highlights from UK respondents:
GDPR in your own words
We've seen a massive spike in information requests about GDPR this year and have produced extensive guidance for our industry. We've already seen an uptick in sales and have invested heavily in a platform solution to help our clients with things like consent management, RTBF requests, and the like. Internally our challenges are finding the time to finish our own compliance around all the work we're doing for our clients, but we'll get there. Operations director, full lifecycle solution supplier
Unfortunately, many ‘experts’ do not actually give an accurate/complete picture of GDPR scope and implications—much of our initial consultative role is to debunk inaccurate info that clients have
taken as true. CEO/MD, MSP
Our business deals with personal data for certain clients so I think the
biggest challenge for us will be collaborating with them to help them
understand their own responsibilities when they are either controllers,
processors or both. Communication around these issues will be key
to maintaining good relations, confidence and indeed reputation
of both parties. Planning and insight, MSP
It’s a very significant shift, and we have been briefed at a high level
on the impacts. CEO/MD, consultancy