The General Data Protection Regulation (GDPR) comes into affect on the 25th of May 2018. GDPR is designed to strengthen data protection and privacy for users within the European Union (EU). It affects all organisations that collect data in any way. To help you to be in the know we are going to go through what your from as the collector of information is and what our role as the data processor is.
EU citizens new rights under GDPR
All EU citizens will have the following rights under the new regulation:
- The right of access
EU citizens have the right to know the details of any personal data you hold about them and how that data is processed and used. As an business/organisation, you are obliged to provide this information on request.
- The right to be forgotten
People have the right to be forgotten. This means that if a person requests it, you will be required to cease the processing of any data you hold about them and delete it. Certain data can be kept for archives for example financial records – invoices that contain customers billing details. This information of course can’t be removed as it would void any financial data that is submitted for tax.
- The right to data portability
If you hold data about anyone and they wish to pass it to another organisation then you must comply. It means that customers can use the records you hold about them to get better deals from your competitors.
- The right to be informed about data breaches
For many this would be obvious as users should always be aware of any breaches but some organisations have kept serious data breaches secret for months in order to protect them from bad publicity, lowering of shares and other consequences. Now, customers have to be legally informed within 72 hours. You must also inform any supervising bodies that need to know (Police for example).
- The right to data correction
Any data you hold about an individual must be accurate. If it isn’t, they have the right to demand it is corrected. The easiest way to handle this is to allow them to update the details themselves.
Who has to comply with GDPR
If you are an organisation that holds data on EU citizens then you are required to comply with the regulation, whether based in the EU or not. This will have an impact on companies like Google, Facebook, and Amazon that collect web data from users in the EU. It also includes small businesses, from your game developers to mobile app companies.
GDPR after Brexit
When the UK leaves the EU the GDPR regulation will be transferred into UK law. The UK is dedicated to data protection and will continue with GDPR once the UK has left the EU.
The flow and storage of data and who is responsibility for each part is broken down into 4 roles:
- Personal data
Any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Host Media as a Processor
Host Media is classed as a “processor” as we process personal data on behalf of a data controller. This will be the case when you use the services of Host Media and store personal data on Host Media infrastructure. Within the limit of any technical restrictions, Host Media will process any data stored in accordance with your instructions, and on your behalf. We will provide the required technical services to ensure the data controller can fulfill their requirements of GDPR.
As a “processor” we will never use the data controllers collected data for our own use. Only on the request of the data controller would we access personal information collected by the data controller. In most cases this would be for the purpose of support on technical issues. Example: A data controller is unable to edit a row in a SQL database that contains personal information.
Host Media as a Data Controller
Host Media is classed as a “Data Controller” when we determine the purpose and method of “our” personal data processing. Host Media collects data for billing, managing accounts, improving the quality of services and performance, sales and quoting etc.
- We will limit the data collected to what is strictly necessary for billing and support.
- To only use the data collected for the purpose for which it was collected.
- Not transferring this data to third parties other than companies associated with Host Media and acting as part of the performance of the service that we provide.
- Implement technical and organisational measures to ensure the highest level of security.
- To ensure all customers know exactly where their data is held.
- Provide a complete audit trail for our infrastructure and service providers to ensure we are completely transparent.
How we backup and store your hosting data
All our data backups are stored within the EU, for data storage of individual hosting accounts (cPanel/Plesk) we use our partnered Germany based data center. Data is transmitted securely to this location from all of our servers.
Backups have a max retention period of 12 months, after that period of time backups are securely deleted.
If you would like to learn more about your privacy and the security of our servers as a ‘Data Collector’ please visit our privacy page which contains all information on our security. Our privacy page also contains details for cookie data collection and tracking.
Are you a web developer?
As a website developer you maybe a data controller, or a data processor, or both. If you create or integrate into systems/software that handle personal data then you are part of the processing of that data and can be held responsible for any breaches of the personal data. This also includes any changes made to data without the knowledge of the individual.
Want to know more?
If you would like to learn more about GDPR and the roles please use the following links:
We have been hosting websites since 2002 and are always moving forward. All articles written under the Host Media author are created by the team who support our customers.