IT and Business Insights for SMB Solution Providers

Fast Track to GDPR

U.S. SMBs have their head in the sand when it comes to knowing how the EU’s data protection regulation may impact them. Here’s how MSPs can help. By Colleen Frye
Reader ROI: 
U.S. SMBs need to understand if and how the GDPR applies to them.
IT SERVICE PROVIDERS CAN HELP by asking customers if they do business in any EU countries or have employees living in the EU.
NEXT, DETERMINE what kind of data they collect, what they use it for, how long they hold it, and how they destroy it.
THEN MAP THE DATA FLOW and capture points and perform a data protection impact assessment.
HELP CUSTOMERS UNDERSTAND and weigh the risk and put appropriate controls in place.

THE DEADLINE for compliance with the European Union’s General Data Protection Regulation (GDPR) has come and gone, and odds are your SMB customers missed it.

Indeed, a month before May 25, when the law officially went into effect, industry association CompTIA Inc., of Downers Grove, Ill., found that just 13 percent of firms are fully compliant with GDPR. That same research found that a majority of surveyed businesses are unaware of the hefty fine they could get socked with for noncompliance.

Similarly, only 30 percent of SMBs understand GDPR or the implications of violating it, according to a ChannelPro reader survey conducted in May. Meanwhile, though 60 percent of readers say they understand GDPR, only 33 percent have designed and executed a GDPR compliance program for their customers.

“I would say most small and medium enterprises in the United States don’t know much about GDPR other than what they’re probably seeing from some of their service providers or some of their cloud providers,” says Sam Pfeifle, content director for the International Association of Privacy Professionals (IAPP), a nonprofit global information privacy community and resource based in Portsmouth, N.H.

Here’s a look at how to determine if GDPR applies to your customers, and how to get them into compliance ASAP if it does.

What Exactly Is GDPR?

GDPR gives EU citizens more control over their personal data. It includes the right to information about who is processing personal data; the right to access any personal data a business is holding; the right to request that incorrect, inaccurate, or incomplete personal data be corrected; and the right to request that personal data be erased when it’s no longer needed or if processing it is unlawful. In addition, GDPR requires businesses to report a breach of personal data within 72 hours.

“I would say most small and medium enterprises in the United States don’t know much about GDPR other than what they’re probably seeing from some of their service providers or some of their cloud providers.”


“That’s something most organizations are not prepared to do right now,” says Greg Sparrow, senior vice president and general manager of CompliancePoint Inc., a Duluth, Ga.-based security consulting and auditing company.

Any business that collects or handles personal data of EU citizens or directly markets to the EU falls within the scope of GDPR. The good news, though, is that GDPR is not like Y2K, in which “on this magic day, May 25th, you’re either compliant or forget about it, the world ends,” Pfeifle says.

Instead, it’s more of a cultural change, according to Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, a provider of data classification and protection solutions in Jersey City, N.J. “It’s a change in the way that you do business, with regards to how you collect, create, use, share, end-of-life personal information,” she says.

Getting Started

The first step of that cultural change is to determine if GDPR applies to your customers, says Simberkoff, by asking these questions:

  • Do they have employees who live in the EU?
  • Do they provide goods and services to anyone living in the EU?
  • Do they collect data about people who live in the EU?

If the answer to any of the above is “yes,” the next step is to understand what data the customer processes. Start by asking these questions, IAPP’s Pfeifle suggests:

  • What kind of data do they collect?
  • Where do they hold it?
  • What do they use it for?
  • When do they destroy it?

About the Author

Colleen Frye's picture

Colleen Frye is ChannelPro's managing editor.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.