IT MSPs routinely access client systems containing vast quantities of personal data. This creates direct GDPR obligations — not just contractual ones.
MSPs as Data Processors
MSPs act as processors when providing: RMM, email management, backup/DR, helpdesk, cloud infrastructure management, endpoint security, or data centre colocation.
Data Processing Agreements
Article 28 UK GDPR requires a DPA for every client relationship involving personal data. The DPA must cover:
- Processing instructions and limitations
- Confidentiality obligations on all MSP staff
- Technical and organisational security measures
- Sub-processor approval and notification
- Breach notification timelines
- Data deletion or return at contract end
- Audit rights
Sub-Processors
MSPs need client authorisation before engaging sub-processors (RMM platforms, PSA tools, backup vendors, security vendors). The MSP remains fully liable for sub-processor actions.
Remote Access Security
Article 32 requires appropriate technical measures:
- MFA on all remote access — single-factor is no longer appropriate
- Privileged Access Management (PAM) with session recording
- Comprehensive audit logs of all remote sessions
- Encrypted connections only — no exposed RDP
- Segregated access per client and per technician role
Breach Notification
As a processor, notify the client controller without undue delay after becoming aware of a breach. In practice: within 24 hours. The client then has 72 hours to report to the ICO.
End-of-Contract Deletion
Client data must be returned or deleted at contract end. Issue a deletion certificate. Ensure sub-processors also delete. Document which backups contain client data.
This guide was produced by Custodia — AI-powered GDPR compliance for small businesses. Scan your MSP website free.
Top comments (0)