In a managed service model, who is responsible and accountable for data?


Compliance is part and parcel of data management, but when it comes to outsourcing this function to a Managed Service Provider (MSP), there is often debate around who is responsible for the data should something happen. However, whether the agreement places this responsibility on the MSP or the client, the question nobody asks is who is accountable. While responsibility may be shared or may fall with one party or the other depending on contractual arrangements, the accountability for data always remains with the business that is generating it, and this changes the entire picture.

Responsibility versus accountability

Simply put, responsibility can be defined as a duty to carry out a task. In this case, when data management is outsourced to an MSP, the responsibility for the MSP is to fulfil the task that they are contracted to do – managing data in line with compliance requirements. This does not absolve a business of responsibility for their own data, however, as they have a duty to ensure that they have processes in place and follow these processes to ensure their data can be managed in a compliant manner.

On the other hand, accountability speaks to the consequences of action, for example, who is going to pay the fine should there be a breach of compliance legislation. The answer is that this always falls to the business. No matter who is responsible for managing data, the data belongs to the business, and they will be the ones held to account if something goes wrong.

IT is not the solution

When it comes to ensuring compliance, since accountability always lies with the business, it is essential to ensure that the MSP is compliant before outsourcing any data management functions. However, before this can be done, it is essential to establish what exactly it is that needs to be complied with, which is often the most difficult question, with a myriad of regulations and legislation being applicable depending on the sector and regions the business operates in. There are two pillars to consider when engaging with an MSP in regards responsibility for data management, one being the data availability and recovery, and the second, the retention of data, however the requirements for compliance, and ultimately accountability, in each will depend on the individual business.

This means that before your data can be deemed compliant, you need to understand what that means for your business and have a framework in place that outlines this. Working with the MSP to achieve this is essential, but at the end of the day, compliance needs to be driven by the business. Technology can be a highly effective enabler of compliance, but compliance is not an IT problem, and you cannot outsource a compliance function without the understanding of what the requirements look like for your business.

Data considerations

Data insight is a crucial area of compliance because not all data is created equal and therefore not all data requires the same level of protection. Understanding what types of data you have and how to treat it remains one of the biggest challenges for compliance. It becomes incredibly complex, which is why responsibility has become a grey area around outsourcing and managed services. The service provider is responsible for delivering services in a compliant and responsible manner. However, should there be a data leak or a breach, no matter where the responsibility lies, the business will suffer the consequences and is therefore always accountable.

When it comes to compliance, there is no singular approach that will work for every business, and no off-the-shelf solution that can be implemented to solve compliance challenges. Working with an MSP, however, can help businesses to better understand their data needs and embark on the journey toward compliance. It is essential to ensure that service providers are compliant, responsible and can support you, with the understanding that business, being the accountable party for data and compliance, should always be the driver of compliance, while IT functions as the enabler.