Compliance is a key part of most businesses, but not all organizations can afford a full-time compliance expert. In fact, 34 percent of businesses outsource at least part of their compliance needs. Because of this growing need, many managed services providers (MSPs) are considering the addition of compliance-as-a-service (CaaS) to their current offerings. But what do MSPs need to know to offer this effectively?
Which Compliance Regulations Apply?
If you’re planning to offer compliance services to your customers, you need to know which compliance requirements apply to them. Different industries have different rules they have to follow, but here are some of the most common you’ll run into.
The General Data Protection Regulation (GDPR) applies to any organization in Europe or that collects data on any citizen in Europe. GDPR protects data privacy and sets rules on how businesses can collect and store personal data. It’s also the harshest data protection law currently active, so if you’re well-versed in GDPR, you’ll be able to comply with almost any other privacy law your clients are subject to.
The Payment Card Industry Data Security Standard (PCI DSS) regulates businesses that handle credit card information. It requires businesses to protect cardholder data and regularly test the security of their networks to prevent credit card fraud. Managed security service providers (MSSPs) should take special notice of this regulation.
The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers, insurance companies, and other organizations that handle personal medical data. It mandates the protection of healthcare data and prohibits the sharing of medical information without the patient’s consent.
Get the full HIPAA IT Compliance Guide.
The Personal Information Protection Law (PIPL) is similar to GDPR, but it applies to businesses that are in or handle the information of citizens of China. If your business is already set up to handle GDPR compliance, you’ll likely be able to handle PIPL easily.
The California Consumer Privacy Act (CCPA) provides privacy protections for residents of California, meaning it applies to any business that handles their personal information. However, it’s less strict than GDPR, so like PIPL, if you’re already familiar with GDPR regulations, you can likely add CCPA compliance services to your offerings with little fuss.
Other Common Compliance Regulations
While the above regulations apply fairly generally across industries, perhaps with the exclusion of HIPAA, some businesses have to contend with industry-specific compliance regulations, which you might run into if you have several customers in those industries. Some examples of niche compliance laws include:
- Occupational Safety and Health Administration (OSHA) – healthcare
- The Sarbanes-Oxley Act (SOX) – publicly traded companies
- The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) – utility companies
- The Bank Secrecy Act (BSA) – financial institutions
Financial institutions, in particular, have a long list of regulations they have to follow, so MSPs working with customers in specific industries should get a full list of the regulations their clients are subject to.
Do You Need Compliance Certification?
While you likely don’t have to have a compliance certification to offer services for most industries, clients may be wary to hire you for their compliance needs if you aren’t certified. Some of the rules in compliance are tricky, and businesses want to know that if they’re outsourcing the work, it will be handled correctly. A certification gives them that peace of mind.
If you want to pursue certifications for compliance, here are a few to consider:
- Certified in Healthcare Compliance (CHC)
- Certified Compliance & Ethics Professional (CCEP)
- Certified Regulatory Compliance Manager (CRCM)
- Certified Information Privacy Professional (CIPP)
However, each industry seems to have its own set of compliance certifications, so if you do a lot of work in a specific industry, you’ll want to look for those certifications.
What Information & Access Do You Need From Clients?
The first thing you’ll need to find out from your clients is what regulations they’re subject to. This will then inform you what access you need. However, at minimum, you’re going to need access to the client’s network and any security tools they’re currently using. You’ll need full visibility into the client’s technical environment, so you can install any necessary patches, identify vulnerabilities, and solve issues faster.
Additionally, you’ll need to understand your client’s current compliance capabilities in order to provide a service-level agreement (SLA). This way, you’ll know what the client is already handling well, so you can fill in the gaps. If your client is just starting out or doesn’t yet have any compliance management policies in place, you’ll need to outline clearly what you’ll handle and what they need to do on their end. Work with the client to find out what they feel comfortable with and how much they want to outsource.
What Software Do You Need?
Some clients may have their own compliance and security software in place, but some may also expect you to provide it. Consider adding the following types of software to your tech stack:
- Compliance management software
- Business continuity or disaster recovery software
- Risk management software
- Remote monitoring & management (RMM) software
While not an exhaustive list, these types of software can help you get started with your compliance services. A big part of GDPR compliance is simply having reasonable security controls in place in case of a breach. You’ll be able to remotely view and fix issues on your clients’ networks, identify any vulnerabilities or unnecessary risks that they’re taking, and store backups in case of a natural disaster or ransomware attack. As you learn more about your clients’ compliance needs, you’ll likely find other types of software that will help make the process easier.
Get a full list of the Best Managed Service Provider (MSP) Tools.
Adding Compliance Services Can Give You an Edge
If you’re having trouble breaking into an industry where you’d like to do business, adding compliance services may give you the edge you need. Manufacturing, financial services, healthcare, and government entities, just to name a few, all have specific regulations they have to follow, and there simply aren’t enough qualified compliance specialists available to serve them all. Instead, these organizations are turning to MSPs to fulfill this need which could, in turn, set you up for major success.