We’re getting loads of questions from customers and non-customers alike about GDPR.
Considering we are rapidly approaching the May 25th deadline for compliance, we thought it’d be a good idea to write a blog post explaining GDPR without the legal jargon, and ending it with a brief overview of what we’ve been up to as it pertains to getting EuroVPS up to speed with GDPR compliance.
What is GDPR?
GDPR stands for General Data Protection Regulation. Great. That much we can all agree on. But with all of the lawyer jargon surrounding this topic, things can get a little bit confusing …
- GDPR is a new European data privacy directive
- It comes into force from May 25th, 2018
- The goal of this directive is to give citizens more control over their personal data.
- If you store or process personal data of European citizens, GDPR affects you. There is no escape. Tough luck.
- Even if your company is based outside of Europe, GDPR is going to be something you’ll have to reckon with.
If you’re still confused about GDPR, lets flush out some of the most pertinent FAQ’s we get on a regular basis about GDPR.
Why is GDPR being released now?
The way the world works now is a lot different than it was 20 years ago when the old data protection framework was created back in 1995.
We live in an age where Grandparents have Facebook accounts and 4-year-olds are surfing the internet on tablets like pros. There’s never been more personal data available for the taking on the world wide web. That data is super valuable… This opens the doors to foul play, corruption, and naughty activities that can put our privacy and self-respect at risk!
This is why GDPR is so important now.
So, is GDPR actually a good thing?
Yes, at least we think so.
If you disagree, we’d love to hear your perspective in the comments section.
The only “bad” thing about GDPR is that it’s kind of hard work. Now we have to actually be responsible about the data we collect! Despite the fact that it means extra work for us, all I can say is – it’s about time!
Is GDPR actually going to be enforced?
Anyone who tries to answer this question with certainty before May 25th is a big fat liar.
There’s been a lot of fear-mongering about the 4% revenue fine with a maximum penalty of up to €20,000,000 but until the first fine is levied, it’s really impossible to answer for sure how strict the enforcement will be.
Here’s what we do know for sure:
Every member state in the EU has their own DPA (Data Protection Authorities).
These authorities will be the ones auditing/inspecting and making sure that you’re following the GDPR rules.
If they suspect a violation they have the right to request access to your office or datacenter.
We also know that GDPR applies even to companies based out of non-EU countries.
For example, if you’re a USA based tech startup and have even a single European customer (which is highly likely) then you are bound by international law to be GDPR compliant.
Think you’re above the law?
Well, think again – because apparently, all signs are pointing towards the development of international agreements between the USA and Europe that will make it possible to penalize USA based companies financially.
Linda V. Priebe - former deputy legal counsel at the White House
For U.S. companies that have a physical presence (establishment) in the EU, which increasingly they do, the GDPR can be enforced directly against them by EU member state authorities. EU authorities have been aggressively pursuing data protection enforcement actions against U.S. companies with locations in the EU for a number of years.
What has EuroVPS done for GDPR?
We’ve been hard at work preparing for GDPR for some time. You can count on the fact that we here at EuroVPS are committed complying with the GDPR requirements.
Step 1: Assign a Data Protection Officer (Completed)
Article 37 of the GDPR states that we need to designate a Data Protection Officer to oversee GDPR compliance and report to management.
This role’s been assigned to our Chief Security Officer (yours truly).
I’ll be the one responsible for training our staff on the new fancy rules on how to handle personal data in accordance with GDPR. I’ll also be responsible for creating and documenting internal security and privacy procedures.
Step 2: Create Plan to Communicate Security Breaches Swiftly (Completed)
GDPR requires that companies are quick to communicate data breaches once they’re discovered.
Within 72 hours to be exact.
There are European laws which state who needs to be informed; and also which client; but that is only based on our system where we keep privacy related material on you. If a data breach is detected, you’ll immediately be notified via our ticketing system, but we reserve the right to take first action to stop the breach before we contact you to avoid further spreading of the issue.
Step 3: Data Encryption for Personal Data (Completed)
One of the first things we did to prepare for GDPR is a full audit of all the personal client data that we collect.
Whatever data we do collect, we ensure that it’s all completely encrypted as is all data that is stored within our billing portal and client area portal.
All data accessed through our support portal is encrypted by SSL during transmission.
Step 4: Implement Strict Security Logging (Completed)
The support employee’s that have root access utilise a special tool to login. The tool logs access, time spent and any commands used by the support engineers.
This is according to guidelines of PCI DSS 3.2 even though we do not need to be using this level of security we believe this is just a good way of doing things.
Furthermore, we update all our server hosts daily and monitor our software vendors emergency updates and implement these as soon they are available.
Step 5: Give Customers the Right to be Forgotten (Completed)
The GDPR gives individuals the right to be forgotten. This means that you’ll have the right to have your data completely erased. You can erase your data completely from the control panel.
Note: You can start the account removal process only if there are no unpaid invoices linked to your account.
You can now delete it.
Step 6: Give You Access to Download Your Data (completed)
GDPR means that individuals have a right to data portability which guarantees them the right to receive the personal data concerning them, which they had previously provided, in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.
Customers are now able to download data in json format by clicking on the download button above in the screenshot within the client portal.
Information the json file contains:
- Change Log
Step 7: Give customers the right to be informed (Completed)
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
Step 8: Establish time limits to erase or review the data stored (Completed)
GDPR states that customer data should be stored for the shortest time possible. At EuroVPS that period takes into account the reasons why our company needs to process the data, as well as any legal obligations to keep the data for a fixed period of time. For example, tax reasons, or client potential to add payment information and convert to paying user.
Step 9: Draft a DPA (Completed)
We’ve incorporated a Data Processing Addendum (DPA) into our website so that it can be easily accessed by those customers that require it (EU citizens/companies). If you require a counter signed version of the DPA, please send us a request by emailing firstname.lastname@example.org.
Read our DPA here.
Step 10: Draft specific technical and organizational measures we take to become GDPR compliant (Completed)
As per Article 32, paragraph 1, of the GDPR we are now outlining the specific technical and organizational measures that we are currently taking to maintain GDPR compliance. Note that this is an organic document that will evolve over time as new measures are added.
Read them here.
What should you be doing?
If you haven’t already done so, you should start your compliance efforts now.
We’re a hosting provider and will never look into your server. Your data is your data. So it’s important to note that you as the site owner are the data controller.
If your site can collect data from EU citizens, including those in the UK, then we recommend that you review your data privacy and security practices and begin researching your responsibilities.
Every business is different and that may affect what you need to do to comply with GDPR.
We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to you and your business.
Where can you find out more?