Over the last couple of months, you may have noticed an increased number of news articles related to ‘GDPR’. It seems everywhere you look there is someone telling you that GDPR is upon us and that you need to “act now”.
For something that is so imminent, there seem to be a lot of people in the dark about what GDPR is and how it might impact them.
Here then is an overview of GDPR and a few notes regarding what you might have to do about it if you are a web host.
So just what is GDPR?
GDPR stands for the ‘General Data Protection Regulation’. It is a new law introduced by the European Parliament and Council – the European Union (EU) governing body.
According to the official GDPR website, the “EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The law was introduced in April 2016 and it covers how businesses and organizations must protect the personal data of EU citizens.
Basically, it is intended to give consumers full control over the personal data companies and organizations collect.
When does GDPR come into effect?
GDPR will be implemented from May 25, 2018.
What sort of data does GDPR cover?
GDPR covers all stored information that applies to a person (living or dead) which can be used to identify that person.
This includes simply storing a person’s name, but also includes email addresses, bank account details, photos, IP addresses, medical records – anything that can point someone to another person.
How does GDPR impact me?
GDPR impacts you if your business caters to any EU citizens - even if you are located outside the EU.
This means it applies to you if you have customers in Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden or – until ‘Brexit’ happens anyway – the United Kingdom.
If you are involved in the web hosting industry, there’s a good chance you might have at least a few EU customers. As a result, you might have to change how you do business.
If you have offices or facilities in an EU country, you will certainly have to change how you do things.
What happens if I just ignore GDPR?
If you ignore GDPR you could potentially be fined 4% of your total global turnover, or 20 million euros ($24.6 million) – whichever is the larger amount. So, GDPR is not to be sneezed at.
If Facebook is taking GDPR that seriously, perhaps you should.
What does GDPR change?
GDPR focuses on people giving consent for their data to be collected.
Whereas in the past simply clicking on a link might have implied consent had been given to collect personal data, under GDPR companies will have to get the specific consent of each individual they are doing business with.
Forms used to get consent have to be clear and understandable. They cannot be bundled with lots of other things.
In addition - and most importantly - a customer or service user must be able to easily withdraw their consent for personal data to be collected once given.
Companies also have to ensure that children don’t use their services without ‘parental consent’.
That means a child under 16 must have a parent give permission for their personal data to be collected.
Companies like ‘WhatsApp’ are very much ahead of the curve as far as this is concerned and changes to their terms and conditions to meet GDPR age restrictions have already been made:
Is there anything else GDPR requires me to do?
There are a number of GDPR requirements that could impact web hosts.
The number of data breaches over the last number of years is astounding. Some breaches, like those experienced by Yahoo!, took several years to report.
Under GDPR, in the case of a breach which impacts EU citizens’ data, companies have to report the event to the data protection authority they are working under "without undue delay" and within 72 hours.
In addition, customers will be able to request access to any personal data a company or organization has collected and have the right to know exactly what that data is being used for.
When a business relationship is terminated, a customer also has the right to ask for personal data to be removed from a company’s records.
Likewise, if a customer changes provider (for example, moves to another web host), they have the right to use the data stored by one provider and move it to another.
So how do I prepare for GDPR?
Large companies like Facebook have been looking at GDPR for the last two years. Other smaller companies have just realized GDPR is an issue.
If you are a “public authority, or a company or organization” that carries out “systematic monitoring” or collects a lot of “sensitive personal data”, your company will have to appoint a Data Protection Officer (DPO).
A Data Protection Officer (DPO) is responsible for ensuring a company or organization’s data protection strategy and implementation procedures comply with GDPR requirements.
To the extent that your organization fits any of the above requirements, you might need to engage the services of a private GDPR consultant to look at what you do and determine what changes you might need to make.
Where can I find out more about GDPR?
When regulations are on other shores, however officious they may sound, there’s always the temptation to just turn a blind eye.
GDPR might be different – people who do a lot of online business in Europe are spending a lot of time getting their ducks in a row as far as this one is concerned.
Probably the best place to start is the official GDPR website. Beyond that, as we said earlier, a private GDPR consultant might put your mind at ease.