7 Tips For Web Hosts Preparing for the GDPR
The EU’s General Data Protection Regulation affects anyone with a European footprint.
If you have European clientele, you better be preparing for May 15 when the EU’s GDPR comes into effect. The GDPR is a set of standards for the collection, storage, and processing of personal data. While the US seems to be going the opposite direction, the EU has established certain rights that an individual has with regards to their personal data.
That means that your business will now be responsible for notifying visitors what information you’re collecting, how it’s being stored and in many cases, you have to allow those individuals the right to have their information deleted, or “to be forgotten” as the language goes. That’s just the tip of the iceberg, too.
That’s why we’ve conceived of this GDPR series, to help our readers prepare for a regulation that is going to have far-reaching effects. This week we’re starting with web hosts. Remember, just because you’re not a European company doesn’t mean you won’t have to comply with EU regulations. If you have any clients that reside in Europe, you’re going to need to follow these guidelines lest you face fines or other penalties.
We took the time to talk with James Slaby of Acronis, an international GmbH, about what web hosts need to start doing to prepare for incoming GDPR, he offered seven solid suggestions.
1.) Learn the Lingo
“You won’t get far without knowing what a data subject is, the newly-expansive definition of what comprises personal data, what the right to be forgotten means, and other GDPR jargon,” says Slaby. As with any new regulation, the first thing you’re going to need to do is to familiarize yourself with the language being used. Especially if you’re not a country that resides within the EU’s jurisdiction. The language of the GDPR is not what you would typically see in the US or other parts around the world.
2.) Figure Out Your Role
“Figure out your role in the GDPR taxonomy of data subjects, controllers, and processors, as your compliance requirements will vary according to where you fit,” says Slaby. “As a web hoster, there’s a good chance you are both a controller and an operator: learn what this means as a starting point.” Learning what role you play is the first step in determining what actions you have to take in terms of both reporting and notifications. Different roles have different responsibilities. Make sure you know yours.
3.) Revisit Partner Contracts
“You are presumably using various third parties in your service delivery, e.g., cloud storage providers,” says Slaby. “Revisit your contracts and SLAs with them to ensure that they are GDPR-compliant, and renegotiate them or find new providers that can demonstrate compliance as necessary. Assume in the meantime that you may be held responsible for any breaches they suffer or other GDPR violations they commit that affect your customers’ personal data.”
4.) Perform a Data Audit
Slaby also suggests performing a full audit of your organization’s data collection and storage habits. “Take a detailed inventory of your customer data, as many things you have been tracking now come under GDPR scrutiny, and thus require that you protect them better, allow your customers to access/correct/delete them, etc. These include data like cookies, location data, and biometric information.”
5.) Step up your Security
“Step up your IT security game, as data breaches are much more serious under GDPR,” Slaby adds. “Work on improving your monitoring, threat mitigation, and incident response regimens. GDPR requires you to notify the authorities and potentially your customers very quickly after a data breach. You’re going to want to head off threats like ransomware attacks where you can, and ensure that incidents don’t happen without you knowing about them. Rehearse your team’s incident responses, too: don’t wait until the real thing happens to figure out if you’re prepared.”
6.) Pinpoint Where You’re Storing your Data
The physical location that you’re storing data matters under the GDPR, too. “Pinpoint exactly where you’re storing your customers’ data, as GDPR will either make you store it in a geographic region it considers safe (like EU countries and a short list of others), or make you jump through expensive hoops proving that your storage locations meet their standards,” says Slaby. “If your storage infrastructure and services don’t let you specify exactly where your data is being stored, upgrade it and/or move to service providers that can.”
7.) Get Qualified Legal Advice
Finally, and this is probably the best advice you can receive. Don’t do this yourself. Make sure that you’ve got legal advice from experts that can help guide you on the path to compliance. “Every vendor knows that the answer to your problems is what they’re selling,” says Slaby. “Don’t rely exclusively on them.”
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown