As you may be aware, the General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. In order to comply with the regulation, we need to make some changes to the way we treat any personal data you may collect, store or process on your hosting plan.
We take our obligation under GDPR very seriously and while the regulations are a challenge to implement, we believe they are a change for the better and fully support them.
Under GDPR it is a requirement that the data controller (in our case the customer) has a data processing agreement in place, this agreement amonst other things must include:
- the subject matter of the processing
- the nature and purpose of the processing
- the type of personal data and categories of data subject
As a hosting provider this presents a challenge as often we have little or no knowledge of the data our clients are collecting, storing and processing on our service via the applications they run. In addition, the definition of data processor is very broad in scope, there are many instances where during the course of providing management or technical support services our staff may act as data processor, examples of this might include:
- Performing migrations
- Troubleshooting email issues
- Backing up data
- Exporting databases
- Deleting data
Often our staff are responding to an urgent requirement and may not know until an issue occurs the type of processing that is required by the client, this means the scope needs to be broad enough to allow us to provide the technical support customers have come to expect from us while still fulfilling our obligations under GDPR.
Ultimately, it isn’t logistically possible to have an entirely bespoke processing agreement for every customer; as a result, we have taken a pragmatic approach and have released a GDPR compliant data processor agreement that clearly defines all parties roles and responsibilities under GDPR and allows our customers to define their own data subject and categories making it easily for you comply with GDPR. To request copy of this agreement please contact our team via support ticket.
If you are a customer storing particularly sensitive data or have a complex configuration that requires stricter controls we will be offering bespoke processor agreements in those situations, please get in touch if you feel this may be required and we would be happy to discuss this.
GDPR customer questions
In the run-up to the 25th May, we have been fielding a large number of questions from our clients about GDPR and have compiled an FAQ section below. However, please note that at this early stage, there are various interpretations of GDPR. Our answers are based on our interpretation which, in turn, is based on the ICO (Information commissionaires Office) interpretation. This may change once GDPR comes in force and the realities sink in.
If you are unsure about your role and responsibilities under GDPR, you should seek independent advice.
FAQ
Are IP addresses classed as personal data?
Yes, however on their own they won’t identify an individual data subject, they need to be combined with other data, Article 32.1 states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk….
If IP addresses are being collected simply as part of the web server logs, the risk may be minor. However, if you have an application that logs an IP address against a client profile that contains a name and address, then the sensitivity of the data may increase and as result additional security measure maybe appropriate.
I don’t collect any personal data on my website, do I still need an agreement?
The definition of personal data is very broad and so you may be collecting it without knowing. This includes data that on its own may not identify an individual but could identify them when combined with other information. For example, collecting an IP address may not seem like personal information, however, when combined with data, such as ISP’s logs, it could be traced to an individual.
Even if you don’t have a website and just use an email account, you will still be collecting personal data in the form of email addresses as well as information included within the body of your emails.
If you have a server, then you will have security and error logs that may also contain IP addresses, usernames and email addresses.
Overall, you should be careful about assuming you don’t collect any personal data.
I don’t want any personal data on my server, how do I disable logging?
The aim of GDPR is to strengthen data protection. By disabling all logging, security services, such as intrusion prevention, DDoS protection, application firewall etc., won’t be able to use those logs to block attacks. Disabling logging, therefore, makes your data more vulnerable. It is not a good idea. In addition, it also makes it more difficult to troubleshoot issues or diagnose attempted attacks.
We consider logging to fall under legitimate interest as it is essential to the prevention and diagnosis of data breaches. Even if your website does not collect or store other personal data, it still maybe be the victim of hacking. Without logs, the prevention or diagnosing of such attacks becomes vastly more difficult.
Do I need consent to collect log data?
Logs that have any bearing on security or integrity we treat as falling under legitimate interest, you should state in your privacy policy you collect the data but you don’t have to get consent.
Recital 47 states The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
Do you support pseudonymisation of log file data?
No, doing so would render the data useless for the purpose it is intended.
Are you ISO27001 certified?
Yes, we have recently obtained ISO27001 certification as part of our preparations for GDPR. We can supply a copy of this upon request.
Are you registered with the ICO (Information Commissioners Office)?
Yes, our registration number is Z3409216
Do I need to encrypt my data to comply with GDPR?
GDPR does not make encryption mandatory, it requires you to take security measures appropriate to the risk which may include encryption. What we will say is you need to ensure that any measures you do take will hold up to scrutiny if you ever suffer a data breach.
If you are storing personal data we would advise you do the following as a minimum:
- Have a valid SSL certificate for all web-based services AND enforce its use (redirect non-SSL requests to SSL automatically)
- Ensure you use hashing to secure any passwords stored in any database you may use, consult your website developer if you are unsure.
- Ensure you are using SSL/TLS based encryption when connecting to services such as FTP and email. If you want this to be enforced by disabling non SSL/TLS ports on your server you can request our team configure this for you.
- Ensure your backups are encrypted, our R1 backup services supports at rest encryption and this is easily configured, contact us if you need help doing this.
Where is my data stored?
All data is stored in the UK, we use data centres located in Wakefield UK, Nottingham UK and Reading UK.
Is my data ever processed outside of the EEA (European Economic Area)?
In some cases yes, we have offices in India in addition to our UK office, our Indian office provides 1st and 2nd line technical support so our staff there may come into contact with personal data during the course of providing support services.
We have a GDPR complaint processor agreement in place with our office in India and it is subject to the same policies and procedures in relation to data protection as our UK office, in addition, it maintains ISO27001 and ISO9001 accreditation.
All staff are provided with GDPR training which includes bi-annual refresher training.
I have heard WHOIS is not going to be GDPR compliant, can i still register domains for my clients after the 25th?
When you register a domain, your registration contact details are published in a public database called WHOIS, that anybody can search. ICANN (the global administrator for WHOIS), which is US based, has advised that it will not be changing the public accessibility of the WHOIS records prior to 25th May. As a result, it will not be compliant with GDPR until it does so.
However, to ensure compliance, the registrars themselves (in our case Tucows) have taken it upon themselves to anonymise the personal data they publish to WHOIS and to apply this, retrospectively, for all domains they hold prior to the 25th May. As a result, any domains registered through ourselves, past or future will be compliant.