We are receiving more and more inquiries from clients asking if SiteGround will be GDPR-compliant. With this blog post, we would like to explain what we have been doing and share our experience with becoming GDPR-compliant, both as a way to inform you what you can expect from us in the next month, before May 25, 2018, and as a way to help you prepare for the GDPR yourselves.
The use of our personal data by big companies is indisputably the hottest topic right now and we don’t think anyone doubts the importance of regulations to prevent abuse and enhance the security of that data. The European General Data Protection Regulation - GDPR, which will take effect on May 25, 2018 is aiming to do exactly that - regulate how personal data of individuals in EU territory gets collected and used. It defines what personal data is - being literally everything - name, email, username, address, phone number, financial data, age, behavioural data and more, and obliges everyone who collects and processes such data of EU individuals, no matter where that company or person is located around the world, to act in accordance with this regulation.
SiteGround started the process of becoming GDPR-compliant about an year ago and we wholeheartedly look forward to it being enforced. We believe the GDPR is good for users and good for the overall security of the Internet and we have always been acting in line with its main principles. Now our goal is to audit and make public these internal rules, and also make sure we apply the letter and the spirit of the GDPR to all our clients, no matter if you are an EU-resident or a resident of another country.
GDPR Helps Users Stay Informed and Gives Them Control
The Hard Bureaucracy Around the GDPR
SiteGround Getting Ready for the GDPR
In compliance with the GDPR, a hosting company like SiteGround has two responsibilities - to protect the personal data we collect from our clients upon sign up (name, email, address, password, billing data) and the data our clients collect from their clients and host on our servers during their usage of our services. We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as processor on the way we store the data our clients host on our servers on behalf of their clients.
Even though SiteGround has always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.
2. Standard Contractual Clauses and EU-US and Swiss-US Privacy Shield certification
SiteGround is a group of companies, all of which based in the EU with the exception of our US entity. Based on how standard operations are organized, EU clients’ data may be transferred to and processed by our US entity as well, for example you may choose to host your site in our US data centers. In accordance with the GDPR, we need to ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to the US jurisdiction. The way we regulate this is through Standard Contractual Clauses*, which will be included in all contracts between our entities to guarantee the transfer of data is compliant with the GDPR requirements.
Additionally, we are working on a certification under the EU-US and Swiss-US Privacy Shield with the Department of Commerce that we adhere to the Privacy Shield Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively, so we can lawfully host EU client’ data on our US servers when that’s needed. We are moving it forward as a second-tier compliance mechanism after the Standard Contractual Clauses.
*The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner.
3. Create annexes to contracts with external providers
Some of the services we sell are provided by external partners - domain registrars like Tucows and Open Provider, GlobalSign for SSL certificates, Cloudflare for CDN and others. They need the client's data so they can deliver the service.
What we are making sure is that our partners adhere to data protection obligations and responsibilities to the protection of your data the same way we do. This happens by adding annexes to our contracts with these providers where we define their responsibilities as per the GDPR.
4. Internal procedures and access-control enhancements
Given that we have been in one of the toughest on security businesses for 14 years, all our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. For example, we are strengthening our personnel background checks and extending our confidentiality agreements. We enhance our security and incident management procedures with new ones that are in tune with the breach response requirements of GDPR. Another new procedure we introduced is working only with partners that are GDPR-compliant.
5. Prepare a new data processing agreement
Many of our clients operate with the personal data of their clients - they take orders, they collect emails through sign up forms, they process credit cards, and more. The client controls the data and how that data gets collected and used, but SiteGround stores it on our servers hence take part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions, which has always been the case. Providing the agreement to our customers we guarantee we are a trusted partner, committed to the principles of transparency, and we meet our obligations under GDPR adequately.
6. Right to be forgotten
Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation. We are now developing a functionality that allows our clients to delete their profiles after all services have been deactivated.
7. Right of access, update, portability and withdraw of consent
8. Assign Data Privacy Officer
The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. We are assigning a DPO and we educate a small team of people who will be able to assist with inquiries and data protection issues.
Where are We Now?
All of the above things and more are on their way. Some of the items are ready, while others are still work in progress. As we are not in the habit of doing things by half, we have not released any of them yet, but we will do it before May 25, 2018.