The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, is a privacy regulation aimed at protecting the personal data of EU residents. The GDPR defines personally identifiable information (PII) as any data that can be used to identify an individual, either alone or in conjunction with other data. If an organization gathers personal data from EU residents, they must comply with the GDPR regardless of where they are situated.
In this context, MSPs are likewise subjected to the GDPR because they collect, store, and handle PII. Personal information that MSPs deal with on a regular basis includes:
- Names, residential addresses, phone numbers, and email addresses of customers and staff members.
- Staff information, including current role, department, and employment history.
- Account, incident, service request, problem, and change records containing users' names, designations, seating locations, etc.
- Identifiable information about devices issued to staff, like IMEI numbers for mobile phones.
- Details about technological support provided to customers or staff. For example, information on any assistive technology (e.g. screen readers, speech-to-text technology) used by differently-abled employees.