The 10 Minute Guide to Being GDPR Compliant and What it Means for Web Hosting and Managed Service Providers
The GDPR, or General Data Protection Act, is one of the most comprehensive privacy and data protection regulations to be adopted by the European Union (EU). firms need to rethink and, most likely, change their privacy, security, and data governance strategies to comply.
And this legislation has teeth!
Failure to comply can result in fines of the greater of €20 million or 4% of a company’s annual global revenue, based on how bad the breach and damages are.
Here are some of the key points of the new regulations:
- The regulations impact any company that maintains personal data on EU individuals, no matter where the company is located. EU individuals have the right to request their records and have the right to be “forgotten.”
- firms must conduct privacy impact assessments.
- Certain breaches of information require firms to notify EU authorities and, in most cases, notify end users.
- There are additional requirements for firms that conduct profiling and monitoring of EU individuals.
- Two main roles are identified:
– The “controller” of personal data: the entity which determines the purposes and means of the processing of personal data
– The “processor” of personal data: the entity which processes personal data on behalf of the controller. Examples of processing include storage, recording, organization, and retrieval.
Per GDPR, organizations that belong to either or both of those roles are liable and responsible for compliance.
Web hosters or managed service providers (MSPs) are categorized as data processors concerning their offerings to clients, who, in turn, are considered the data controllers.
If you’re a web hoster or MSP with users in the EU, you are affected by GDPR. The impact of non-compliance can be detrimental to your business.
Need another worry?
Since most hosters and MSPs use third-party SaaS tools, those tools must also be compliant. And just asking if those tools are GDPR compliant may not be enough. Verification is essential.
What is Personal Data
Let’s start first by explaining how personal data is defined per GDPR:
‘Personal data’ means any information relating to an identified or identifiable natural person (known as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Article 4 EU GDPR
Focusing on Getting GDPR Right the First Time is Key
So, here’s a quick guide to help you understand GDPR compliance, designed especially for hosting and MSP firms.
Quick Guide to Being GDPR Compliant
1. GDPR Overview
The protection of personal data is an integral part of the EU Charter of Fundamental Rights. Article 8 states that:
“Personal data should be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
This includes the right to be forgotten.
GDPR determines how firms must process, protect, and notify individuals living in the EU regarding their personal data. This includes all aspects of collecting, storing, transferring, or using that data.
As we saw in the previous definition, “personal data” as defined by GDPR is broad and potentially includes identifiers such as email addresses and IP addresses.
The GDPR increases the enforcement of the regulations as well as the cost of the fines associated with noncompliance or breaches. firms must comply with significantly increased obligations for how they handle and protect data.
2. Expanding the Rights of Individuals
The GDPR expands the rights of individuals in the EU by providing them the right to request copies of any personal information about them stored by a firm. Also, individuals in the EU have the right to have their personal data removed. This is commonly known as the “right to be forgotten.”
For firms in the MSP and hosting business, this means it is critical to keep accurate records on backups and archiving of personal data for any user located in the EU. It also means these firms must be able to quickly identify users’ personal data, provide accurate records of the data, and, if necessary, delete or recover the data.
3. Increasing Compliance Obligations
In addition to the expanded rights of individuals, the GDPR mandates that firms have policies and procedures in place to ensure the security of personal data. Further, firms should conduct impact assessments to validate that data security and privacy are being maintained.
Hosting and MSP firms need to create and implement policies and processes to ensure data security and integrity as well as data availability. Technical safeguards such as encryption, endpoint security and pseudonymization are recommended by GDPR to provide data security.
GDPR places additional burdens on ensuring that vendors of hosting and MSP firms are also compliant.
4. Required Notification of Data Breach and Security
Under the GDPR, firms must report data breaches to data protection agencies and, in most cases, to affected individuals within 72 hours. They must also be able to demonstrate when a breach occurred and identify the data that was accessed or altered.
Firms must also comply with more stringent security requirements to help enforce tighter controls over access and use of personal data.
The burden on hosting firms and MSPs is clear:
- They must know when the breach occurred.
- They must be able to identify what information may have been accessed, edited, or deleted.
- They must take appropriate and quick action to notify data protection authorities and, in most cases, affected individuals.
5. Requirements for Profiling and Monitoring Behavior
For firms that profile or monitor the behavior of EU individuals, there are additional requirements governing those activities. The degree to which a firm engages in monitoring and profiling will affect GDPR’s impact.
The definition of what constitutes profiling and monitoring will change over time, making it an ongoing challenge for those firms to comply with GDPR.
For hosting and MSP firms, any activity associated with profiling or monitoring behavior of EU users will require compliance with these new requirements. Being able to assess current and future profiling and monitoring activities will be an essential consideration of any firm dealing with user data.
6. Appointment of a Data Privacy Officer May Be Required
Under the GDPR, there is an obligation for some organizations to appoint a data protection officer (DPO), especially if a firm is performing large scale systematic profiling and monitoring of individuals (for example, online behavior tracking).
However, we believe that appointing a DPO is best practice even if your firm is not obligated to select one.
The €20 Million (or more) Fine
How serious are these new regulations?
The teeth to these regulations are the penalties that can be the greater of €20 million or 4% of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!
This amount will vary depending on how bad the breach or other noncompliance is. Still, it is a large enough number that anyone managing a firm, especially those with tight margins like hosting companies or MSPs, should be paying attention.
Not in the EU? You Still Need to Pay Attention
Even if your firm is not located in the EU, these regulations may still apply to you.
If you have EU users who have their personal information in your systems, then you will need to comply. The GDPR requirements apply to firms inside or outside the EU as long as they are storing or tracking personal data of EU individuals.
And in addition to addressing their own GDPR compliance, web hosters and MSPs should support their customers in the same endeavor.