There is no silver bullet when it comes to GDPR in the channel

03 Aug

There is no silver bullet when it comes to GDPR in the channel

Hannah Breeze 
Senior Research Analyst, IDC’s European Channels and Alliances program
Read full bio

The General Data Protection Regulations (GDPR) will be enforced from next May – and everyone in the technology industry is talking about it. So much so, the topic even took center stage at Microsoft Inspire – its massive annual global partner conference – earlier this month. (This was especially interesting as the company and the event are US-based, so this dispels any myth that it only applies to European companies).

But unfortunately, the amount of people talking about an issue does not always directly correlate with the level of understanding there is about it. GDPR is a complex topic, and the regulations themselves come in the form of a lengthy legal document. However, if you thought GDPR was confusing by itself, it can be even more so when considering it in the context of the channel.

My role at IDC is to focus on Channels and Alliances, but we have a huge resource dedicated to all things security, specifically GDPR. Our GDPR experts provide detailed coverage of the nitty gritty details when it comes to the regulations, but in this blog, I wanted to bring it to life from a channel point of view. In its simplest and most basic form, the role of “data controller” is the data owner, for example, a bank, which owns data it collects from its customers: names and addresses, financial information, and so on. The bank determines the purpose and means by which the customer data is processed, making it a controller by definition. Any third-party processors of that data – a technology provider, for example – do so at the instruction of the controller, and become a “data processor”. Simple, right?

But if that third-party data processor (the technology firm, in this example) uses that data for other purposes – monitoring or optimization, for example – they too become a controller, because they are determining what happens to it. The crucial distinction here is that, in this scenario, the third party does not become the data controller instead of the first data controller (the bank), but as well as. This is a concept it is essential to understand when it comes to channels, because there are significantly more layers of complexity added on top of an already dense topic. The nature of the channel means that there are multiple companies involved in the provision of a technology solution to a customer. Hence, there are many companies which could have access to, or control over, a customer’s data.

A customer may work with one or two partners, which in turn could work with a distributor or two, and multiple vendors. The partner may even work with other channel firms in a partner-to-partner relationship, all on the same customer solution. So if the worst should happen and a breach occurs, there are many directions to which the finger of blame could point. This level of complexity has got the channel talking a lot over the last 12 months. Many companies are looking to position themselves as trusted advisors when it comes to GDPR, and many are re-packaging their solutions to speak directly to this challenge. And quite rightly so – customers need help.

But what it is so important to stress is that there is not one silver bullet when it comes to GDPR. No single company can make a customer bullet proof, and no single customer can completely outsource all GDPR-related responsibilities to a third-party. So what can you do? There are a number of steps which can be carried out by companies at all levels in the channel to ensure they are on top of the upcoming changes.

Advice for vendors

1) Gain genuine understanding into which parts of the channel have responsibility for what

2) Collect and retain evidence

3) Ensure your customers and partners know what you can and cannot provide

Advice for partners

1) Ensure you fully understand what your role is when it comes to customer data

2) Review customer contracts and retain documentation of having done so

2) Seek legal advice

Advice for customers

1) Accept that you’re responsible for your customer data

2) Fully audit customer data

3) Consider data minimization

For further reading, please check out  our recent market perspective: The Impact of GDPR for Channel-Centric Vendors

For more information about IDC’s Channels & Alliances research an overview of the program is provided here.

// ]]>