Impact of GDPR on Web Hosting Business
Shahbaz Kazi (Lead Business Analyst,Product Owner, Project/Programme/Portfolio Delivery Consultant)
Management Consultant | Cyber/Digital Lead Business Analyst | Product Owner/Manager | SCRUM Master | Project Manager | PMO Lead/Manager | Delivery Consultant |AWS Solutions Architect (Associate)| Strategy | SC Cleared
1. GDPR: Quick Overview
GDPR is a regulation which gives more control to the EU residents/users on their personal data being used by organizations throughout the world and on how it’ll be processed. It provides EU residents/users with the rights such as right to be forgotten and to request the data to be transferred between companies. GDPR has been applied to all EU member states from 25th May 2018. It came in to force on 24 May 2016 after all EU parts agreed to the final text. Businesses and organizations were given 2 years before the law applies to them.
The drivers behind the GDPR were two folded. EU wanted to give people more control over their data; first how their personal data is being used and the second was that every EU member states had their own data directives which was difficult and expensive for businesses operating in a single market. So EU wanted to facilitate the businesses to give them simpler and clearer legal environment to operate throughout the single market.
GDPR will impact all organisations with in EU. GDPR applies to Controllers and processors of EU residents data within or outside EU. GDPR applies obligations to both controllers and processors of data within EU or outside EU as long as they process EU resident’s data. The penalty for non-compliance is €20 million or 4% of the global annual turnover, whichever is greater.
2. Hosting Companies are Processors
Two key roles are identified – The “Controller” of Personal Data: the entity which determines the purposes and means of the processing of personal data.
– The “Processor” of Personal Data: the entity which processes personal data on behalf of the controller. Examples of Processing: Storage, recording, organization or retrieval.
Traditionally businesses tend to think of businesses like outsourced marketing companies, HR consultants or payroll providers as the kind of third parties considered as data processors, but in reality it’s any third party that processes data on behalf of the data controller and that means, in an increasingly digital world, hosting providers, cloud service providers, software providers (SaaS), etc.; it also means that any software developers, web developers, app developers who provide a platform which includes the processing of personal data for their clients are also caught within the definition of data processors if they’re facilitating the hosting.
Exactly what this means will really depend on each business and the services they provide, but essentially if your business provides a service that allows the processing of personal data for your clients then you are a data processor and these new GDPR rules apply to your business.
3. What is Personal Data
‘Personal data’ means any information relating to an identified or identifiable natural person (known as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Article 4 EU GDPR
4. Will Hosting Cost more after GDPR?
We may notice increase in the cost of hosting because of additional administration necessary to deal with the regulations for each customer deployment which will increase the cost of doing business for the some hosting businesses and they might be further increase in cost for some hosting companies as under the GDPR there is an obligation for some organizations to appoint a data protection officer (DPO).
5. New Compliance Obligations
GDPR also mandates that firms have policies and procedures in place to ensure the security of that data. Further, firms must conduct privacy impact assessments to validate that security and privacy are being maintained.
The regulations also require firms to be able to provide detailed records on any data activities associated with the EU users.
For Hosting and MSP firms, this places unavoidable burden in creating policies and processes to ensure data security and integrity. Technical safeguards such as encryption, end-point security and pseudonymization would need to be implemented.
GDPR also places additional burdens on ensuring that vendors of these firms are also compliant.
Web Hosting businesses need to address GDPR compliance making sure all loop holes are covered. GDPR compliance will also mean more business in the European Union and will also save the company from the hefty fine of €20 million which can be very well, an end for most hosting businesses.