Should Web Hosting Companies Be Losing Sleep over GDPR?
The practice of gathering and storing client and customer information has become commonplace in today’s world of online companies and corporations. But with reports of massive data breaches growing unsettlingly frequent, the demands to protect sensitive data are more robust than ever before. From the 25th of May, 2018, these demands will, at least partially, be met by the Council of the European Union, with the launch of General Data Protection Regulation (GDPR).
The new regulation aims to consolidate and strengthen data protection for European citizens, and force large data managing companies and those online entities, who until now have managed to remain anonymous, to become more transparent.
Under the new GDPR, any company that processes the data of individuals that belong to the European Union is automatically categorized as a ‘data processor.’ And as web hosting companies such as Host4Geeks have direct access to their customer’s data, they too will be under obligation to abide by the strict new regulations.
How is the GDPR different to the DPD?
Sanctioned by the Council of the European Union, GDPR replaces the Data Protection Directive (DPD) from 1995: the council has set a transition period of two years for data processing companies to implement the new regulation.
The new regulation will prevent companies from using or sharing personal data of European citizens without first obtaining proper consent. Once given, that consent can be withdrawn at any time and for any reason. Europeans will also receive the so-called ‘Right to be Forgotten,’ right, meaning they can insist on the permanent deletion of their data should they decide to terminate their relationship with a company.
By non-compliance, companies face fines of up to €20 Million, or 4% of global annual turnover, whichever is higher. Any breaches of information or data must be reported to the regulatory authorities within 72 hours.
GDPR and web hosting companies
On the whole, the GDPR is an enhanced version of the old DPD. Hosting companies should take proactive security measures to ensure their client’s data is safe. This includes remote server hosting, storing decryption keys away from the database, and following best practices for the encryption and decryption of data.
Irrespective of location or country, if they are handling the data of a European citizen, web hosting companies must adhere to the guidelines laid down by the GDPR, or face the penalty. Hosting companies, like every other data processor, will be held accountable for any breach of data, as well as for the mishandling of stored information, including the anonymization of personal data.
It is still unclear if GDPR is going have an impact on the economics of the web hosting industry in general. What is certain is that hosting companies will have to take the necessary precautions to safeguard customers’ personal data. This will include providing additional security measures such as stronger passwords, top-level encryption, firewalls, virus and intrusion monitoring, plus the use of pseudonyms.
Which kind of personal data is protected?
The new regulation protects basic information such as name, address, sexual orientation and ID numbers, plus data concerning IP address, location, cookies and RFID tags. genetic, health, biometric, racial and ethnic data, along with political preferences, will all come under the GDPR umbrella.
What can hosting companies do right now?
A good place to start the compliance process is to carry out a thorough audit of all aspects of the web hosting business that deal with the personal data of European citizens. Hosting companies should classify these data sets and verify there are control mechanisms in place to ensure they are protected.
Web hosters will have to provide a risk assessment with regards to possible data theft, and this assessment should be revised and repeated to align with the terms and conditions of GDPR.
Companies with more than 250 employees, and who deal with citizens of the EU, will automatically fall under the jurisdiction of the GDPR. These companies should appoint a dedicated Data Protection Officer, responsible for overseeing the company’s data protection strategy, and to ensure all GDPR requirements are met.
Employees will also have to be made aware of the new regulation, and proper training should be provided for staff members that have access to the personal data of customers and clients from the Europe Union.
4 Steps hosting companies can take towards GDPR compliance
Run a risk assessment
Web hosting companies should know which kind of data they handle and process in relation to EU citizens. The risk assessment must outline measures to minimize all risks that may arise from the processing of this data.
Create a data protection plan
Web hosting companies must put a plan in place to report and track the levels and the processes involved in the security and safeguarding of the private and personal data they handle. The data protection plan is to be regularly updated to maintain its alignment with the terms and conditions of the requirements under GDPR.
Draft a GDPR statement
All data processors need to draft a statement that provides insights of the new GDPR for both prospects and existing customers. Such a statement must be crafted in plain and straightforward language that explains clearly the defining factors that make their service GDPR compliant.
One of the main goals of the General Data Protection Regulation is to create more transparency. It makes sense then, for hosting companies to do the same. One of the best ways to apply GDPR within business processes is to contractually state that the company is GDPR compliant when new clients or customers sign up for services.
Terms and conditions of using the services must be clear and precise and explain the obligations that are to be met between the hosting company and the customer in order to satisfy the requirements for GDPR compliance.
Should web hosting companies be losing sleep over GDPR?
Probably not. Legitimate companies will already meet most or even all of the new regulations, and for those who don’t, following the steps above can ensure compliance is made relatively hassle-free. One rule of thumb is when you’re handling any kind of private data and information treat it as if it were your own personal data. Problem solved.