Microsoft partners—and every tech business—should provide strong privacy protections for their customers. It’s the right thing to do, it’s required by laws and regulations, and it’s good for your business.
U.S. tech companies and customers alike would benefit from a single, unified federal data privacy law. But in the absence of that law, we’ll benefit if state laws are closely compatible with each other and with the Europe Union’s General Data Protection Regulation (GDPR).
My company, Queue Associates, has invested substantial time, energy, and money to become privacy compliant everywhere we do business. We’re confident we’ve made worthwhile investments—and I want to encourage every Microsoft partner to make a similar commitment to privacy compliance.
Recognizing the Risks of Non-Compliance
Queue Associates is an international business, with offices in the UK and Hong Kong—in addition to Phoenix, Atlanta, and the New York metropolitan area. We became aware of the need to make privacy compliance part of our ongoing operations when the EU implemented the GDPR in 2018.
The GDPR includes stringent directives, not just guidance. If your business fails to comply, it can face severe fines. Last year, British Airways was fined £20 million ($26 million) by the UK’s Information Commissioner’s Office (ICO) for violating the GDPR—and the fine could’ve been as large as £183 million.
The threat of fines by itself was a strong motivation to meet compliance requirements. We also began to see RFPs requiring strict compliance with the GDPR related to data privacy. Increasingly, if you want to compete for business in Europe, you have to demonstrate privacy compliance. I expect this requirement will become more common in U.S. RFPs as well.
Turning to Privacy Experts
Queue is committed to digital privacy compliance, but we’re not privacy experts. It made sense for us to seek outside help, so we contracted with a company called, The Data Privacy Group (DPG). When we first hired DPG, they conducted an audit of our websites and other technology. We were shocked to learn the extent to which we were out of compliance—even though we had not neglected privacy or security. But now we knew what we had to do to meet compliance requirements—in all the places where we do business.
Just as DPG scanned our websites to find compliance lapses, privacy regulators regularly scan websites. They first check for cookie compliance and privacy notices. If you fail to meet base-level compliance requirements in an automated scan, someone may dig deeper. DPG helped us update cookie and privacy notices, and we now utilize DPG and their OneTrust platform to maintain compliance and manage customer requests to review, update, and delete data. We are now also ISO 27001 certified for meeting international standards on information security.
Peter Borner from DPG also conducts annual privacy compliance training with all of our employees and serves as our designated Data Protection Officer (DPO), as required by the GDPR. All told, for software licensing, services, and training, Queue Associates spent about $50,000 for the first year with DPG to become compliant. This is money well spent. It makes us compliant, it makes us competitive, and it provides peace of mind. We also utilize LastPass to strengthen password protections and Microsoft InTune to manage the security of our desktops, laptops, and mobile devices.
Putting Customers First
During the COVID-19 pandemic—with many employees working from home—businesses took a harder look at the security and privacy of their technology and their MSPs. Throughout 2020, our customers increasingly asked us about our privacy and security, and required Queue to produce privacy notices. Because we’ve been proactive on this front, we’re able to demonstrate our compliance and show that we’re looking out for our customers.
I would encourage every Microsoft partner to stay ahead of the curve on privacy and security. You’ll not only protect your business, but also build trust and enhance your reputation with your clients.
Tech professionals can also act as trusted advisors and thought leaders on behalf of our customers by advocating for sensible privacy policies in the halls of government. Our industry and customers together will be best served by a balanced, unified policy approach that protects data privacy without overburdening businesses or undermining innovation.
Jeffrey Goldstein is Managing Director of Queue Associates, a Microsoft Gold Certified Partner specializing in Dynamics 365. Jeff is also past President of the International Association of Microsoft Channel Partners (IAMCP)—Americas, an active VFI advocate, and an alumnus of VFI’s Advisory Task Force.