How is SiteGround Getting Ready for the GDPR?

We are receiving more and more inquiries from clients asking if SiteGround will be GDPR-compliant. With this blog post, we would like to explain what we have been doing and share our experience with becoming GDPR-compliant, both as a way to inform you what you can expect from us in the next month, before May 25, 2018, and as a way to help you prepare for the GDPR yourselves.

The use of our personal data by big companies is indisputably the hottest topic right now and we don’t think anyone doubts the importance of regulations to prevent abuse and enhance the security of that data. The European General Data Protection Regulation - GDPR, which will take effect on May 25, 2018 is aiming to do exactly that - regulate how personal data of individuals in EU territory gets collected and used. It defines what personal data is - being literally everything - name, email, username, address, phone number, financial data, age, behavioural data and more, and obliges everyone who collects and processes such data of EU individuals, no matter where that company or person is located around the world, to act in accordance with this regulation.

SiteGround started the process of becoming GDPR-compliant about an year ago and we wholeheartedly look forward to it being enforced. We believe the GDPR is good for users and good for the overall security of the Internet and we have always been acting in line with its main principles. Now our goal is to audit and make public these internal rules, and also make sure we apply the letter and the spirit of the GDPR to all our clients, no matter if you are an EU-resident or a resident of another country.

GDPR Helps Users Stay Informed and Gives Them Control

The GDPR is a really great thing when you look at it from the perspective of the users. When a user signs up for a free or paid service, for an app or else, and provides their personal data, the provider of the service has to notify them explicitly how their personal data will be used before they complete the registration. Whether that use is for marketing and profiling, or if there is a possibility of the data to be subject of sale or transfer to third-parties, it has to be explicitly stated in advance. Users will be able to say NO to certain types of usage and will have to give consent - opt in - to the Terms of Service and Privacy Policy of the provider, thus making an informed choice. So, big win for the users - more control over their data, less invasion of their privacy, less spam and less intrusive advertising overall!

The Hard Bureaucracy Around the GDPR

The GDPR by design has been aiming to regulate activities of the big companies like Google and Facebook that process insane amounts of personal data and are using it to generate significant gains, but at the end of the day it affects everyone - every small business that works with any personal data. Even if a company uses data in a completely legitimate way, the new regulation requires specific modifications like rewording its Privacy policy to state explicitly what kind of usage there is, making automations in how the user can access their personal data, and more. Unfortunately, this effort to comply comes costly in both legal fees, time and deviations from standard business operations so one can focus on the GDPR with high priority.

SiteGround Getting Ready for the GDPR

In compliance with the GDPR, a hosting company like SiteGround has two responsibilities - to protect the personal data we collect from our clients upon sign up (name, email, address, password, billing data) and the data our clients collect from their clients and host on our servers during their usage of our services. We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.

Even though SiteGround has always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.

1. Terms of Service and Privacy policy updates

The GDPR says we have to inform clients what data we collect about them and legitimize how we use it afterwards. The good news is that we collect only the minimal set of personal data that is required to deliver the hosting service. For example, we collect your physical address for invoicing and tax purposes. We collect your credit card data because we need to bill you upon purchase. We collect your email because we need to contact you regarding your orders, the status of the services, important functionality updates and, where you have consented to receive such communications, contact you with newsletters and promotions. We use cookies because they help us show relevant content to our website visitors and advertise based on these interactions. We don’t use any of the data collected for profiling or other secondary purposes and we do not sell it to anyone.

As per the GDPR requirements, our new Privacy Policy will fully describe why and how we collect and process personal information and any client, existing or new, would be able to validate that we handle this information carefully and sensibly.

2. Standard Contractual Clauses and EU-US and Swiss-US Privacy Shield certification

SiteGround is a group of companies, all of which based in the EU with the exception of our US entity. Based on how standard operations are organized, EU clients’ data may be transferred to and processed by our US entity as well, for example you may choose to host your site in our US data centers. In accordance with the GDPR, we need to ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to the US jurisdiction. The way we regulate this is through Standard Contractual Clauses*, which will be included in all contracts between our entities to guarantee the transfer of data is compliant with the GDPR requirements.

Additionally, we are working on a certification under the EU-US and Swiss-US Privacy Shield with the Department of Commerce that we adhere to the Privacy Shield Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively, so we can lawfully host EU client’ data on our US servers when that’s needed. We are moving it forward as a second-tier compliance mechanism after the Standard Contractual Clauses.

*The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner.

3. Create annexes to contracts with external providers

Some of the services we sell are provided by external partners - domain registrars like Tucows and Open Provider, GlobalSign for SSL certificates, Cloudflare for CDN and others. They need the client's data so they can deliver the service.

What we are making sure is that our partners adhere to data protection obligations and responsibilities to the protection of your data the same way we do. This happens by adding annexes to our contracts with these providers where we define their responsibilities as per the GDPR.

4. Internal procedures and access-control enhancements

Given that we have been in one of the toughest on security businesses for 14 years, all our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. For example, we are strengthening our personnel background checks and extending our confidentiality agreements. We enhance our security and incident management procedures with new ones that are in tune with the breach response requirements of GDPR. Another new procedure  we introduced is working only with partners that are GDPR-compliant.

5. Prepare a new data processing agreement

Many of our clients operate with the personal data of their clients - they take orders, they collect emails through sign up forms, they process credit cards, and more. The client controls the data and how that data gets collected and used, but SiteGround stores it on our servers hence take part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions, which has always been the case. Providing the agreement to our customers we guarantee we are a trusted partner, committed to the principles of transparency, and we meet our obligations under GDPR adequately.

6. Right to be forgotten

Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation. We are now developing a functionality that allows our clients to delete their profiles after all services have been deactivated.

7. Right of access, update, portability and withdraw of consent

Our new Privacy Policy will provide you with full details about how we process your personal data. As a client you should also be able to see what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use. All our clients could currently see their personal information in the My Details section of their User area and they are able to correct it. Our use of your personal information is necessary to perform our obligations under any contract with you. We rely on your consent only to send you marketing information and promotional offers and we have introduced new preferences which enable you to control your consent for this usage of your data. We should also be able to provide you with a copy of any data which we hold about you. For this, we are working on allowing you to easily export it if needed.

8. Assign Data Privacy Officer

The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. We are assigning a DPO and we educate a small team of people who will be able to assist with inquiries and data protection issues.

Where are We Now?

All of the above things and more are on their way. Some of the items are ready, while others are still work in progress. As we are not in the habit of doing things by half, we have not released any of them yet, but we will do it before May 25, 2018.

We will release updated versions of our Privacy Policy, Terms of Service, and a Data Processing Agreement, but we promise you will not be surprised by the things stated in them as none of the texts actually change the principles which we have stuck to until now.

The SiteGround Soul Giver

If something's cooking in any of the following areas at SiteGround: website user experience, marketing, advertising, public relations, sales, accounting or billing, the chances are that I have been involved. Being the most advanced non-technical person in a highly geeky company is definitely quite an interesting challenge.

30 Comments

  1. Reply April 24, 2018 / 08:05 IanSiteGround Team

    Thanks for the update, was just about to email about a DPA.

    Will you be taking any steps to remove or anonymize IP addresses in the server logs. Realise there is a time period where they are useful, but would be good to automatically clear data out after x months / a year.

    Also what happens with a data removal request (Right To Be Forgotten) and backups? In such a case would all backups have to be removed, or can we remove specific data from the backup?

    • Reply April 24, 2018 / 09:32 Hristo PandjarovSiteGround Team

      Hello, server logs with IP information related to the accounts are normally kept for a period of 6 months, after which they are deleted automatically.

      However, if a client enforces their right to be forgotten, all account-related information and server logs associated with the account and backups will be immediately deleted. Clients cannot make changes in the backups stored for their accounts.

  2. Reply May 11, 2018 / 20:52 JaimieSiteGround Team

    Hi there, when will you be posting a blog concerning your recent crowdcast webinar about the GDPR? I had a couple of questions regarding acceptable cookie polices I was hoping would be answered! Webinar was great by the way!

  3. Reply May 14, 2018 / 09:56 KSSiteGround Team

    Can you help clarify this...

    If my USA based company sells online to ONLY USA customers, are we excluded from GDPR?

    We do not even allow anyone outside of the USA to register for an account. The only countries selectable from a Register form or Checkout form is USA.

    Thanks in advance.

    • Reply May 15, 2018 / 05:38 Angelina MichevaSiteGround Team

      Hi KS,

      Since the GDPR applies only to EU citizens/residents, and the fact that you do not allow anyone outside of the USA to register and checkout on your site, you might only need to evaluate if you have European visitors and your practices in regard to these visitors.

  4. Reply May 14, 2018 / 11:51 KennethSiteGround Team

    1) How will SiteGround be involved in the required individual site compliance?
    I.E. Who will be policing this compliance?
    2) Should penalties be involved fo non complaince how and/or will SiteGround be involved in the collection of these penalties?
    3) Are there any ongoing compliance fees ?

    Thanks
    Ken Shea

    • Reply May 15, 2018 / 05:43 Angelina MichevaSiteGround Team

      Hi Ken,

      Please find below the answers to your questions:

      1) and 2)
      SiteGround will not be involved in the individual site compliance, this is the reason why SiteGround urges all individual sites to be GDPR compliant. The GDPR gives data protection authorities investigative and enforcement powers and the power to levy more substantial fines for non-compliance with GDPR. These authorities include the concerned National Data Protection Authorities and Local Authorities within the EU member states and the Lead Supervisory Authority in EU. Under the legal framework, they are responsible for the investigation of complaints and enforcement of the GDPR requirements and GDPR provides them the power to impose and collect the administrative fines. The European Commision maintains a list of the National Data Protection Authorities on its website. SiteGround will not be involved in the collection of any administrative fines.

      3)
      The legal framework has not defined compliance fees. It has defined administrative fines for non-compliance and infringement of the GDPR requirements and/or data subject rights. The administrative fines in accordance with the GDPR for non-compliance and infringement will be up to €20 million or 4% of the entity's global gross revenue.
      Depending on your own compliance project, your preferred and selected legal advisors services, certification mechanism and/or adopted technical solutions may imply additional costs.

  5. Reply May 16, 2018 / 06:57 KennethSiteGround Team

    Understood and thank you.

  6. Reply May 18, 2018 / 05:35 MireilleSiteGround Team

    2 questions;

    - How do I see where my website is hosted/stored? Inside the EU or not? I understand there might be an issue when my site is stored in the US.

    - Where can I find your Data Processing Agreement ?

    Thanks for your answer.

    • Reply May 18, 2018 / 06:27 Angelina MichevaSiteGround Team

      Hi Mireille,

      You can find the location of the server where your account is hosted when you log into your client area My Account --> Information and Settings.
      SiteGround has a data center in the US and we will ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to the US jurisdiction. The way this will be regulated is through Standard Contractual Clauses, which will be included in all contracts between SiteGround entities to guarantee the transfer of data is compliant with the GDPR requirements. You can find more details on the actions we are implementing to be GDPR compliant in our blog: https://www.siteground.com/blog/gdpr-siteground-getting-ready

      Our Data Processing Agreement will be publicly available on our website. Follow our communication channels for updates and check the administrative email for your account with us.

  7. Reply May 21, 2018 / 06:15 StefanieSiteGround Team

    Thanks for the information. Where do I find the data processing agreement?

  8. Reply May 21, 2018 / 07:37 KimSiteGround Team

    so if a site is hosted in the US center this law does not matter to them?

    • Reply May 28, 2018 / 06:53 Hristo PandjarovSiteGround Team

      The GDPR regulation applies to you if your site serves EU citizens, no matter of the DC you're using.

  9. Reply May 21, 2018 / 11:37 Sam ValiantSiteGround Team

    Heya, were can I find the relevant privacy policy for siteground for me to link to?

    • Reply May 22, 2018 / 00:48 Hristo PandjarovSiteGround Team

      Our Privacy Policy will be updated shortly (most probably today) and you will receive an email with link to the appropriate document.

  10. Reply May 22, 2018 / 04:35 CrismerSiteGround Team

    Thanksso much for update information.

  11. Reply May 23, 2018 / 10:42 Frances DahlenburgSiteGround Team

    I cannot find any contract concerning the data processing. When will you provide it or where can I find it?

  12. Reply May 24, 2018 / 09:18 DavideSiteGround Team

    Hi,

    There is one thing I don't understand. Where is written what kind of cookies Siteground use on our website, and how it uses IP data and so on?

    Stuff, I suppose, that we have to write and detailed inside our Privacy Policy?

    Thanks,
    Davide

  13. Reply May 29, 2018 / 18:12 MyraSiteGround Team

    Quick question, and maybe I'm missing it in the Privacy Policy but the IP addresses being collected by SG from the hosted websites that are shown in the visitor stats, are those your responsibility or the website owner?

    • Reply May 31, 2018 / 07:21 Angelina MichevaSiteGround Team

      Hi Myra,

      Тhe data shown in the visitor stats section is only available for the account owner and it is required feature by the majority of our clients. The stats are aggregated information. The section does not include data that would help you identify a person via the information presented in the stats. Yes, some of the stats do contain IP addresses, however, IP addresses in the hands of website operators can qualify as personal data only if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) and the IP address is correlated with these additional details. The stats does not collect such additional details and they only store records for top visitors which are dynamic information and change daily and the previous data is overwritten.

      Regards,
      Angelina

  14. Reply May 30, 2018 / 10:38 KatharinaSiteGround Team

    Hi,

    I have found the data processing agreement but no way to sign it which is, as far as I understand it, required by the GDPR. Will there be a solution with HelloSign or sth similar like it's offered by other providers?

    Thanks.

    • Reply June 1, 2018 / 03:58 Marina YordanovaSiteGround Team

      Hello Kathrina, the Data Processing Agreement comes into effect immediately and it doesn't require any additional steps on your end.
      You can use it as a reference where needed and explain that as a SiteGround customer you are compliant.

      Regards!

  15. Reply September 8, 2018 / 19:25 AndreySiteGround Team

    Hi,

    How do I transfer a domain name from Siteground to another registrar, if my administrative email does not appear in whois data?
    Email, to confirm the transfer, from the new registrar, comes to the email address displayed in whois data, but my email address is hidden due to the GDPR.
    How do I receive an email from a new registrar to confirm the transfer of the domain name?

    Thanks!

    • Reply September 9, 2018 / 23:53 Hristo PandjarovSiteGround Team

      In that case you must have some sort of ID protect with your current registrar. You should check with them how to proceed for the transfer, some forward emails towards your admin "fake" one, otheres require you to disable it for transfer.

  16. Reply September 27, 2018 / 12:44 JasonSiteGround Team

    I have been a Siteground customer for years and we are getting hammered with GDPR concerns from our clients. I have a couple of clients requesting to see a copy of the SOC certificates and asking if our hosting provider is SOC 1 or SOC 2 compliant. Unfortunately, when I speak to Siteground they point me to the data center vendor and the data center vendor says that Siteground has to get that for me. What is the right process for getting SOC documentation on our hosting environments for growing GDPR concerns.

    • Reply September 28, 2018 / 00:31 Hristo PandjarovSiteGround Team

      Hey Jason, please send a quick mail at compliance [at] siteground.com and we will get back to you with answer to your questions.

Reply

* (Required)