MSP’s Journey Towards Privacy Compliance
Whether you are a managed service provider (“MSP”) or a managed security service provider (“MSSP”), you are likely collecting, storing, reviewing, using, or disclosing personal information from your client. MSSPs, in particular, have access to personal information when they engage in activities such as:
Monitoring for unauthorized access
Detecting /responding to data breaches
Monitoring for fraud/internal threats
Monitoring abnormal behaviour
Detecting phishing attacks
When engaging in these business-as-usual activities that are meant to protect your clients’ environment, MSSPs have access to a lot more personal information than they otherwise would, including but not limited to:
User credentials
Financial information
Contact information
Health information
Behavioural information/location information
Customer data/employee data
Communication
Audit logs
When collecting personal information, whether sensitive or not, about customers or employees, MSSPs have regulatory and contractual obligations to protect and responsibly use personal information while providing their services and, therefore, reduce their clients’ risk.
(1) Compliance with Privacy Legislation
To the surprise of many MSPs who have access to personal information, you need to be mindful of where the personal information originates from. Many MSPs think that they need to comply with privacy legislation in the jurisdiction in which they provide their services. This is simply wrong. Privacy legislation, such as the General Data Protection Regulation (“GDPR”) and Quebec’s Law 25 is extraterritorial, meaning that the law follows the data. In that case, MSPs may need to comply with privacy legislation outside the jurisdiction they provide services. Investigate with your clients where they collect personal information from and understand what your obligations are under the legislation.
It is also important to understand what role you play in the relationship with your client, which may dictate your privacy obligations under the legislation. For example, are you a “processor” under the GDPR or a “joint controller”? If it is unclear what role you play and therefore what your obligations are, it should be made clear in the agreement with your client.
(2) Data Processing Agreements
In addition to the Services Agreement your client signs, they will likely expect you to sign a Data Processing Agreement, which defines your responsibilities when it comes to handling personal information. The following are a few key aspects you will want to scrutinize to ensure your obligations and liabilities are clearly defined and managed:
(a) Data Processing Details: Clearly define what data you will be processing and the purpose for each processing activity. Ensure that these activities explicitly align with your service offerings. (Hint: clients often get confused between privacy and security, so ensure they understand the difference and don’t extend yourself to doing privacy compliance work if you are not the expert at it). Understand and formalize in the agreement how you may use the information and for what purpose. Do NOT use the information for a secondary purpose without your client’s explicit consent.
(b) Roles and Responsibilities: As alluded to above, delineate whether you are a controller or processor. Identify what your responsibilities are depending on your role.
(c) Compliance with Regulations: Identify which privacy legislation applies to you and depending on the legislation, clearly define the technical and organizational security measures you will need to implement as required by applicable laws.
(d) Data Subject Rights: Identify how you will assist the client when responding to access, correction, or deletion requests from the client.
(e) Data Breaches: Define what a data breach is and the process and timelines for notifying clients in the event of a breach. Ensure these processes and timelines align with regulatory requirements.
(f) Data Security and Confidentiality: Specify the security standards you will adhere to (e.g., ISP 27001, NIST) and include practical confidentiality clauses.
(g) Data Transfers: Identify whether you are permitted to transfer personal information outside the client’s jurisdiction and if so, what additional safeguards you will need to implement to provide an extra layer of protection.
(h) Audit and Compliance: Determine if the client has the right to audit you and under what conditions and frequency.
(i) Termination and Data Return/Deletion: Outline the process for returning or deleting data upon termination of the agreement. Identify whether you have ongoing obligations after the termination, such as data retention policies.
(j) Indemnity and Liability: Understand the indemnity clauses, particularly those relating to data breaches and non-compliance with data protection laws. Ensure there are clear limitations on your liability, especially in relation to indirect or consequential damages.
(3) Accountability
Identify who within your company is accountable for privacy compliance. Designate a Privacy Officer or outsource the position to a privacy consultant if there is no need for a full-time position. Ensure the Privacy Officer develops a Privacy Program for your company, including policies and procedures, and monitors and enforces the Program.
(4) Data Mapping and Inventory
Identify what personal information you are collecting for each client and record where the data is stored. This will assist you in fulfilling your obligations to the clients, such as assisting them with requests for access, correction, or deletion of information or whether a data transfer is necessary. It will also allow you to identify where your high risks are related to privacy.
(5) Data Minimization
While it is easy to collect personal information that is available to you, that does not mean you should – unless you have a high-risk tolerance. For example, just because you may have access to employee personal information or detailed audit logs, determine what information is necessary for the purpose you are trying to achieve or if there is a certain criteria that must be met before you access those logs. Collecting more than you need not only goes against the data minimization principle in privacy regulations but it also puts your company at risk in the event of a privacy breach or a privacy complaint by a disgruntled individual.
Also, be mindful of data access control and how much personal information any one of your employees should have access to for the activity they are performing.
(6) Vendor/Sub-Processor Due Diligence
Your Data Processing Agreement will likely have a clause that extends your obligations under the agreement to your vendors/sub-processors. You will need to conduct your due diligence to ensure they have proper data protection controls in place, and you limit the purpose for which they can process personal information. Be mindful of your obligations to inform your clients of the sub-processors you are engaging and give them the opportunity to oppose using the sub-processor(s).
(7) Privacy Breach Response
While you must report a breach to your client as part of your contractual obligation, as outlined above, be mindful of whether your breach involves personal information, in which case you will not only have a security breach on your hands but also a potential privacy breach. Your clients will have reporting obligations and must meet regulatory timelines. It will be imperative for you to understand when a breach is a “privacy” breach and have an open line of communication with your client’s Privacy Officer. When developing your breach response plan, ensure you also develop a breach playbook for privacy.
(8) Privacy Training
Your employees are your biggest liability. As an MSSP, your employees have a specialty in security, not necessarily in privacy. You must ensure your staff are properly trained on their privacy responsibilities by providing them with proper training. Training should include an overview of privacy responsibilities as well as a review of your internal Privacy Program, including your privacy policies and procedures. They should also know when a Privacy Impact Assessment should be conducted.
By fostering an employee privacy mindset, not only are you protecting your business but you are also developing employees who will be more knowledgeable and can readily identify privacy risks for your clients, thus creating a value-add for your clients who will be very grateful that you were able to identify a risk for them. For example, your employees may remind your clients that they need an Employee Electronic Monitoring Policy after identifying the various ways they are monitoring the client’s employees.
Finally, since privacy and security frequently overlap, yet still very much have distinct roles to play, identify where privacy expertise is required, either internally within your own business or externally, for your clients. Work closely with the Privacy Officer or privacy professionals to add value to the services you provide. Wherever possible, take an integrative approach to privacy and security.