The EU’s General Data Protection Regulation affects anyone with a European footprint.
If you have European clientele, you better be preparing for May 15 when the EU’s GDPR comes into effect. The GDPR is a set of standards for the collection, storage, and processing of personal data. While the US seems to be going the opposite direction, the EU has established certain rights that an individual has with regards to their personal data.
That means that your business will now be responsible for notifying visitors what information you’re collecting, how it’s being stored and in many cases, you have to allow those individuals the right to have their information deleted, or “to be forgotten” as the language goes. That’s just the tip of the iceberg, too.
That’s why we’ve conceived of this GDPR series, to help our readers prepare for a regulation that is going to have far-reaching effects. This week we’re starting with web hosts. Remember, just because you’re not a European company doesn’t mean you won’t have to comply with EU regulations. If you have any clients that reside in Europe, you’re going to need to follow these guidelines lest you face fines or other penalties.
We took the time to talk with James Slaby of Acronis, an international GmbH, about what web hosts need to start doing to prepare for incoming GDPR, he offered seven solid suggestions.
1.) Learn the Lingo
“You won’t get far without knowing what a data subject is, the newly-expansive definition of what comprises personal data, what the right to be forgotten means, and other GDPR jargon,” says Slaby. As with any new regulation, the first thing you’re going to need to do is to familiarize yourself with the language being used. Especially if you’re not a country that resides within the EU’s jurisdiction. The language of the GDPR is not what you would typically see in the US or other parts around the world.
2.) Figure Out Your Role
“Figure out your role in the GDPR taxonomy of data subjects, controllers, and processors, as your compliance requirements will vary according to where you fit,” says Slaby. “As a web hoster, there’s a good chance you are both a controller and an operator: learn what this means as a starting point.” Learning what role you play is the first step in determining what actions you have to take in terms of both reporting and notifications. Different roles have different responsibilities. Make sure you know yours.
3.) Revisit Partner Contracts
“You are presumably using various third parties in your service delivery, e.g., cloud storage providers,” says Slaby. “Revisit your contracts and SLAs with them to ensure that they are GDPR-compliant, and renegotiate them or find new providers that can demonstrate compliance as necessary. Assume in the meantime that you may be held responsible for any breaches they suffer or other GDPR violations they commit that affect your customers’ personal data.”
4.) Perform a Data Audit
Slaby also suggests performing a full audit of your organization’s data collection and storage habits. “Take a detailed inventory of your customer data, as many things you have been tracking now come under GDPR scrutiny, and thus require that you protect them better, allow your customers to access/correct/delete them, etc. These include data like cookies, location data, and biometric information.”
5.) Step up your Security
“Step up your IT security game, as data breaches are much more serious under GDPR,” Slaby adds. “Work on improving your monitoring, threat mitigation, and incident response regimens. GDPR requires you to notify the authorities and potentially your customers very quickly after a data breach. You’re going to want to head off threats like ransomware attacks where you can, and ensure that incidents don’t happen without you knowing about them. Rehearse your team’s incident responses, too: don’t wait until the real thing happens to figure out if you’re prepared.”
6.) Pinpoint Where You’re Storing your Data
The physical location that you’re storing data matters under the GDPR, too. “Pinpoint exactly where you’re storing your customers’ data, as GDPR will either make you store it in a geographic region it considers safe (like EU countries and a short list of others), or make you jump through expensive hoops proving that your storage locations meet their standards,” says Slaby. “If your storage infrastructure and services don’t let you specify exactly where your data is being stored, upgrade it and/or move to service providers that can.”
7.) Get Qualified Legal Advice
Finally, and this is probably the best advice you can receive. Don’t do this yourself. Make sure that you’ve got legal advice from experts that can help guide you on the path to compliance. “Every vendor knows that the answer to your problems is what they’re selling,” says Slaby. “Don’t rely exclusively on them.”
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach