Looking For a GDPR Compliant Hosting? Forget It! (Practical Thoughts)

Share the knowledge...Share on Facebook
Facebook
Share on Google+
Google+
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

GDPR compliant hosting - title

Using a GDPR compliant hosting is a part of your business safety strategy when it regards GDPR thing. But you can forget it. Well, almost.

Intro

This first paragraph of my post was meant to draw your attention. But it’s actually a true statement. And it’s ambiguous like the whole GDPR thing stated on 260 pages.

This GDPR stuff in many ways may look like nonsense and an unreasonable headache for you as a website owner. But you still need to consider GDPR and be ready to do some practical steps to avoid the possible problems with government authorities.

In this article I will cover the aspects of dealing with your hosting so that you don’t break GDPR’s requirements. Otherwise you are under a risk of paying whichever is greater: either a fine of upto 4% of your annual turnover or insane 20 mln Euros (whichever is higher).

This article is not a legal advice and I’m not a lawyer. I’m a website owner who analyzes what GDPR brings to folks like me from a practical point of view.

 
Please note that this article is NOT about how to make your website GDPR-compliant. Although there is some valuable information on this topic too. This post is mainly about your relationship with your hosting in conjunction with GDPR.

Do you need to be concerned about GDPR when using a hosting?

The answer is both Yes and (partially) No.

Let’s talk about “Yes” in this chapter (embrace yourself, this is tough).

And for “No, you don’t need to bother” see the section here.

In very simple words, GDPR for you as a website owner means that you need to do the following:

  1. You need to inform your visitors from European Union and take the permission that you process their personal data, how you do it and why you do it. And you need to do it in a clear and plain language.
     
    Here are some examples for a very simple website when this applies to you (the list below is not complete):

    • You have an email subscription form (and you collect emails, names etc);
    • Your website has comment section (and thus visitors leave their names, email addresses, website URLs, comments etc);
    • Even if you think you don’t collect any data, there may be plugins that do it (for example, plugins recording your visitors’ IPs or cookies data).
    • And there’s one more thing – there are logs stored on your hosting which contain personal data such as IPs of your visitors. Yes, you may be unaware of it, but it is so. If you have a website, then you do collect personal data of your visitors even if you don’t want to or are not aware of. And this data is stored on your hosting.

    Thus, GDPR actually affects any website owner if there are visitors from EU (a “data subject” residing in EU).

    GDPR compliant host - collecting personal data

  2. You need to be able to provide any person from EU their personal information that you have collected.
     
    According to GDPR, in case of such requests, you need to let the visitors know what comments they left, if they are subscribed to any mailing list on your website, and whatever else information you have about them, including the information that you are probably not aware of.

    For example, it regards also the server logs (or their parts) which include your visitor’s IPs. Also, consider that IPs may be not static (one address), but dynamic (multiple addresses). And don’t forget to extract such personal data from your website backups. And extract the data from server logs. How does it sound?

    It sounds ridiculous. But as they say, the law is the law.

    GDPR host - what is personal data

  3. You have to delete the personal information if the visitor requests this.
     
    Deleting their comments and removing the visitors from subscription lists seem feasible. But what about deleting the IPs from the server logs stored on your hosting? What about if a user has dynamic IPs? And don’t forget that the server logs are also stored in all the backups.
     
    You will have to do all of that.

    GDPR host - the right to be forgotten

  4. You need to let your users know that there was a data breach.
     
    For example, your website was hacked, or your hosting was hacked. Considering that personal information incudes IP addresses of your visitors, in case of data breach you need to inform all your visitors (which have ever visited your website and left cookies or their IPs in the server logs) about the accident. It may be a huge number of people that you probably can’t even contact (but anyway have to!).
     
    GDPR host - data breach

    Yes, it sounds unbelievable. But this is what GDPR’s requirements are saying right now. Again, in the corner of my soul I hope that the EU authorities will amend current GDPR’s atomic bomb-like requirements. Or there will be too much excessive headache to do for the Internet community.

Hosts and the right to be forgotten (a simple scenario)

For example, assume the following scenario when a visitor wants to be “forgotten”.

A visitor of your website (EU citizen) sends you a request that you should delete all his/her personal information. Then according to GDPR’s requirements you must delete all the personal data from you website within certain time limits. You also must delete all backups from your computer, cloud storage, backups etc.

You also contact your hosting that they should delete the personal information in question. Here the real fun part starts.

Your hosting can’t delete just the personal information of the person in question. Neither can you. You and your hosting can simply erase all the data which contains the personal information.

It’s not just backups that your hosting will delete. It’s also your website’s data and other account-related data including logs, because your account’s data may contain the personal information in question. Your emails will also be deleted as they may contain the business correspondence with the person.

GDPR host - the right to be forgotten

In other words, if you can’t delete the personal information in question, then say good bye to your hosting. Actually, to any hosting. Because no hosting will explicitly want to host your data if there’s a chance that it may contain the personal data that should be deleted. No hosting wants to be fined upto 20 mln Euros (or 4% of yearly turnover, whichever is higher).

And by the way, if you think you delete all the personal information somehow by the request, how can it be proved to authorities or to your client (visitor)?

Lots of such detailed questions which GDPR does not answer. And even lawyers and legal consultants don’t really know for sure how it will really work out.

In may sound absolutely crazy, but this is how it currently is according to the GDPR’s requirements.

Can you avoid dealing with GDPR at all?

I’ve heard an opinion that if your audience is not supposed to be in European Union, then you can block all visitors from EU to avoid the headache.

My thought on this is that it will not solve the problem for you in a strategic way. Yes you can block the traffic from EU countries (e.g. using a security product such as a website application firewall).

But you can’t block EU citizens if they are visiting your website being in other countries or using a web proxy or VPN.

GDPR host - blocking EU visitors

So, I’d say that there’s no way to completely eliminate chances of facing GDPR issues.

Why you may forget about GDPR when dealing with your hosting

Now here’s the good part that I promised in the beginning. Well, it’s the good part to some extent at least.

Although this article is not a legal advice, there are reasonable thoughts from a practical point of view. My point of view, okay?

I hope that GDPR’s requirements will develop to apply realistically to small businesses and individual website owners. Otherwise small businesses and website owners will have to operate in a legally “grey” area.

Under the “legally grey” area I mean that there is a law and there is the real life which sometimes may go under the law’s radars. It’s a sort of presenting (i.e. pretending) that you play strictly by the rules. I know that it may sound unacceptably for many people (especially those who are not very experienced in doing business). But if the law itself and the way it’s pushed contradict the common sense and can’t be realistically followed, then there’s actually no choice.

Moreover, consider the fact that GDPR requirements themselves have lots of grey areas. Looks like the authorities behind GDPR cried like a baby “We want it ALL and we want it NOW!” And no matter whether it can be realistically achieved or not.

Again, I’m not encouraging you to break the law. I just share my thoughts.

GDPR host - under radars in grey area

By the way, although in this article I focus on individual website owners and small businesses, medium and large companies are actually in the same boat. And the bigger the company, the more risks is has dealing with GDPR.

Where is the good part? – you may ask. The good part is that if too many businesses and website owners can’t follow the law to the full extent objectively, then the practice of enforcing the law is very likely to be not systematic. This means that even if you don’t follow the law completely, there are big chances that you stay unnoticed.

Yes, I hear your disgruntled exclamations. Yes, I know that it contradicts the way of life that many people think it should be. But this is the different approach to living in a business reality which more and more people who have websites will have to face.

However, I hope that EU will amend GDPR’s requirements so that website owners will be able to follow the requirements easily. “Easily” means without hiring consultants, adding expensive technical solution to comply with GDPR’s requirements and spending too much time and money trying to comply with GDPR. The time and money which could be better invested into business development.

Anyway, it’s time we (website owners) have to adapt to the new reality.

Okay, I’m not going deeper in politics and legislation trends here.

From a practical perspective of your relationship with your hosting, here are a couple very important things to keep in mind:

  1. Your host does NOT want to have GDPR problems (otherwise there are huge penalties).
  2. Your GDPR-compliant hosting does not automatically mean that your website is GDPR-compliant.
  3. Your host is responsible in terms of GDPR to its clients (including you). Whereas you are responsible in terms of GDPR to your clients (visitors).
  4. Using a GDPR-compliant host lowers but does not eliminate your chances of having GDPR issues.

That said, a hosting is likely to simply get rid of your data if it appears that your data may be the source of these problems. Also, in some cases a host may want to charge you for the work implied (e.g. for providing you with the info you requested).

That’s why you better deal with the professional hosting which will keep a clear communication with you regarding GDPR. It will assist you as much as possible and will not do unexpected things (e.g. removing your data without letting you know) being afraid of GDRP penalties.

Thus, what you can do is using a professional hosting which is great in client communication. Then you have a good partner in avoiding the GDPR issues in case they come close. By the way, I recommend these hosts (and this one above all considering GDPR, by the way). And whatever happens, the host with good ethics and clear communication will do as much as possible to take care of its client (i.e. you).

P.S. and a side note

GDPR’s requirements in their current state may look like a step towards a right direction (more privacy for you as a person, more control on your personal data etc).

But the way it turns out it looks like GDPR may result into transforming Internet into a reverse or an unexpected way.

Besides, from a bit different perspective, GDPR’s requirements look like episodes of the war between national/federal governments on the one side with corporations and network community which are international by their nature on the other side. But this is a topic of a completely different article. So, I stop here.

The bottom line is simple:

Partnering with a reliable and professional hosting is a good strategy for you as a website owner to face GDPR’s requirements. The hosting should be reliable not just from a technical side. The hosting should also pay due attention to the legal side of business to stay alive in a long term.

And of course, it’s very important that the host should have a great client communication, so that you and your hosting could be in one team standing off the havoc caused by GDPR.

Relying on a highly professional host makes even more sense now.

Subscribe to Free Researches
Get smarter and work on your blog and small business more efficiently

subscribe
BTW, I respect your privacy, and of course I don't send spam, affiliate offers or trade your emails. What I send is information that I consider useful.

Share the knowledge...Share on Facebook
Facebook
Share on Google+
Google+
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

Comments

  1. Very funny and helpful summary of practical problems of complying and running GDPR. Loved the pictures

    • Thanks Alex for you feedback.
      I try to avoid writing about legal stuff in my website since this is not among my favorite fields of interest. But GDPR hit like a hammer to all Internet community. It has caused and will be causing lots of energy to be wasted not only by bigger companies who are the main target of the GDPR, but also by small businesses and even non-commercial blog owners. Shame on the EU authorities for being so unthoughful.
      I had more aggressive images and text in the draft, but let my emotions calm down and released a more balanced version of the article. Although it’s known that irony and satire are the forms of aggression 😉

  2. Amazon Coupons US says:

    Great post, Very Funny Post.

  3. Thanks for your article, Michael. I didn’t think about hosting concerning GDPR complaints. You have represented its significance and what to do to stay away from GDPR complaints. Good image depictions.

  4. I did come across many articles about GDPR. But rare to see about hosting when we think about GDPR.
    Thanks for sharing such article making us aware of hosting to stand away from GDPR complaints. Funny images speak a lot.

  5. Funny post) GDPR can create some isssues. But popular CMS have free GDPR plugins.

    • Hey Elena,
      The plugins that make their attempts to assist with complying GDPR may be great helpers. But they are not enough to resolve the issues that GDPR may cause.
      For example, no plugin can get into your backups and get a downloadable piece of data (or delete the data from the backups) for your EU visitors who request this.

  6. GDPR is built to shift the control of that data back to the people. A perfect example, is the “right to erasure.” There are conditions, but if you read through them, they’re all pretty reasonable.

    • Yes, Karan, you are right, partly. But the way it is right now GDPR means that the most of the web is not GDPR compliant in practice and can be destroyed with the fines. Thus, the web just has no other option rather than going under law radars.

It's important for me to know what you think

*