What is GDPR and How Does it Affect Web Hosting Companies? Since online activity and storage of personal data are increasing day by day, there is a growing demand to protect the sensitive data of individuals from harm. The Council of the European Union was long waiting to tighten up data protection followed by serial data breaches by anonymous entities and big data managing companies. The General Data Protection Regulation (GDPR) is an answer from the Council to these growing demands and, aims to strengthen and unifies data protection for all individuals residing in the European Union (EU).

The new GDPR norms make any company that processes the data of individuals belonging to the European Union falls under the category of data processors. Since Web hosting companies also have direct access to personal data they are also liable to follow the strict regulations of GDPR.

The new norms of GDPR were long adapted on 27 April 2016 and will become enforceable from 25 May 2018. It will be sanctioned by the Council of the European Union and will supersede the 1995 Data Protection Directive (DPD) (Directive 95/46/EC). The council has given a two-year transition period for the enterprises to evolve from the current data protection system to a more transparent GDPR.

What’s New?

What makes the new norms different from the DPD is that it will prevent enterprises from using or sharing personal data of individuals belonging to European Union without his or her sole consent. Individuals will also have the power to withdraw consent given to an enterprise at any point in time. Moreover, they can also enjoy the ‘right to be forgotten’, which means that customers who leave an enterprise can have the right to have their shared data permanently erased.

Enterprises must comply with the new GDPR regulations as in case of non-compliance, the fines are very heavy and can go up to 4% of global annual turnover or €20 Million ( whichever is higher). In case of Data Breaches, companies need to inform the regulatory authorities of the breach within 72 hours.

The main aim of GDPR is to protect the sensitive data of individuals from any harm, and as per the blog of the Information Commissioner Office (ICO), the main aim of the council is not to charge companies with heavy fines, rather, it is to safeguard personal data.

The ICO also published a checklist that highlights 12 steps companies must take to prepare for GDPR. It can be read from here .



According to the checklist, the GDPR includes the following rights for individuals:

the right to be informed;

the right of access;

the right to rectification;

the right to erasure;

the right to restrict processing;

the right to data portability;

the right to object;

the right not to be subject to automated decision-making including profiling.

Concerns that need diligence from Web Hosting Companies

The GDPR in a whole is similar to the DPD, but with some enhancements. What the new changes exactly mean to web hosting companies is that there should be no room left to have Web Hosting Automation Platform (WHMCS) style breaches.

Hosting companies must follow proper security measures to protect the data of clients. This includes hosting servers remotely to prevent any risk, storage of decryption key away from the database and following right ways to encrypt and decrypt data.

Web Hosting Companies irrespective of country or location must follow the guidelines laid by GDPR if they are handling the data of an EU citizen.

Data processors and hosting companies are accountable for any data breaches. Large fines may get imposed in case of mishandling data.The web hosting companies must also practice anonymization of personal data while handling and storing data outside EU.

On a side note, the cost of web hosting may increase since hosting companies has to make sure they are taking all the necessary precautions to safeguard the personal data of individuals. This will include the practice of providing additional security measures like firewalls, virus monitoring, strong passwords, intrusion monitoring, access control, use of pseudonyms and top level encryption.



What kind of personal information is protected under GDPR?

By the new regulation, basic identity information such as name, address, sexual orientation and ID numbers of the individuals must be protected. Other information like Web data such as location, IP address, and cookie and RFID tags must be secured. Health and genetic data must be preserved. The protection of personal data is extended to Biometric, racial or ethnic data and also covers political opinions.

How to be GDPR Compliant?

For a company who is looking to be GDPR compliant, the starting point will be to conduct an audit of business processes that deal with personal data of individuals and other subjects belonging to the European Union.

Enterprises must also classify these data sets and verify the controlling mechanism of ensuring compliance with the regulations. They need to understand the law and follow the guides set by the GDPR norms to get compliance. This includes collecting, processing, and storing data.

When companies identify which data they handle falls under the norms they have to classify who has access to these different types of data and who shares the data, and what applications process these data.

Enterprises must also take necessary risk assessment to prevent any possible data thefts and must revise and repeat the various data protection procedures to align with the terms and conditions of GDPR.

A company with more than 250 employees automatically comes under the rules of GDPR and must have dedicated Data Protection Officers responsible for overseeing data protection strategy and ensure that the company meets all the requirements of GDPR. It is very important to make the employees aware of the new norms of GDPR and enterprises should give proper training and guidelines to make the employees handle data in a very secure manner.



Steps for GDPR Compliance for Web Hosting Companies

Run a Risk Assessment: Web hosting companies must know what kind of data they handle and process on EU citizens. The risk assessment must be taken care of in a way so as it will outline measures to mitigate any serious risk that may come out of it.

Data Protection Plan: The companies must act according to a definite plan to report and track the progress of security and privacy in handling personal data. The data protection plan must be updated so as to align with the terms and conditions of GDPR requirements. In case of any data breach, the regulatory authority must be first informed without fail within 72 hours.

GDPR Statement: Web Hosting companies and other data processors must prepare a GDPR statement that can provide insights about GDPR norms to existing and potential clients. The statement should be prepared in a way that it clearly explains the various factors that make your service GDPR compliant.

Terms and Conditions: The best ways to implement GDPR between yourselves and your customers is by transparently stating the requirements for GDPR compliance when a contract is signed. The terms and conditions must be clear and should precisely explain the obligations that need to be made between yourselves and the customer to meet the requirements for GDPR compliance.



Thanks for dropping by. Ready for the next blog?