GDPR-Compliant Hosting: Do's and Don'ts
Operating your website in compliance with GDPR is more important than ever nowadays - we will show you what you need to pay attention to.
Better safe than sorry – this principle applies to you as a website operator more than ever. And not just with regard to your own business data, but also your customers' data. As soon as visitors click on your website, the subject of data protection comes to the fore. As an admin, you are responsible for ensuring that personal data is handled safely and appropriately in accordance with the General Data Protection Regulation (GDPR). What at first sounds complex, can fortunately be simplified – because there are now numerous tools and software that make your life easier. We'll show you which ones they are and how you can operate your hosting GDPR-compliant in the following.
Please note, however, that this article cannot replace legal advice and that individual aspects can change over time. Therefore, this article serves as a thematic overview, so that you can subsequently get more detailed information. If you are unsure whether your hosting is GDPR-compliant, it is best to contact appropriately specialized lawyers.
5 Questions about the GDPR
Before we go into more detail on how to legally secure your website, let's first clarify a few important introductory questions about the GDPR:
What is the GDPR?
The GDPR (General Data Protection Regulation) is an EU regulation that came into effect on 25 May 2018. It regulates the protection of personal data in the European Union and replaces the previous EU Data Protection Directive. The GDPR serves the purpose of protecting the rights and freedoms of natural persons in relation to the processing of their personal data. It stipulates who is responsible for the protection of this data, what obligations he or she has, and what penalties are threatened in case of violations. An important part of the GDPR is the right to information, erasure, rectification and data portability:
The right to informationmeans that your users have the right to obtain information on whether you are processing personal data and, if so, what data this is and for what purposes the processing takes place.
The right to erasure(also known as "right to be forgotten") means that users have the right to request the erasure of their personal data if certain conditions are met. This is the case, for example, when the data are no longer necessary for the purposes for which they were collected.
The right to rectificationmeans that your users have the right to request the rectification of incorrect personal data.
The right to data portabilitymeans that your users have the right to receive their personal data in a structured, common and machine-readable format. They can then transfer these data to other controllers or request that these be transferred by you.
Who does the GDPR apply to?
The General Data Protection Regulation (GDPR) applies to all companies and organisations that collect, process or use personal data within the European Union, regardless of whether they are based inside or outside the EU.
Companies and organisations based within the EU are always subject to the GDPR.
Companies and organisations headquartered outside the EU are subject to the GDPR if they collect, process or use personal data of natural persons residing in the EU and either have a branch within the EU or specifically offer their services to persons in the EU.
This means that companies located around the world doing business within the EU will come under the GDPR and are therefore obliged to observe EU data protection laws.
Where does the GDPR apply?
The GDPR has direct effect in all EU member states and means that member states do not need to pass national laws to implement the requirements of the GDPR. However, member states can supplement their own regulations if this provides a higher standard of data protection.
It is important to note that the GDPR applies not only to companies and organisations in the EU, but also to companies and organisations outside the EU that collect, process or use personal data of EU citizens.
Furthermore, it is irrelevant where the actual processing of data takes place. If, for example, you collect data in the EU but have it processed on a server in a third country like the USA, the guidelines of the GDPR still apply.
What is personal data?
According to the General Data Protection Regulation, personal data constitutes all information relating to an identified or identifiable natural person. These include, for example, the name, address, telephone number, email address, details of age and gender, photos, IP address, location-based data, social security number, bank details, health data, data on the use of services and products, and other similar information. Also data that have been replaced by pseudonymous information are considered personal data if they can be associated with a specific person again using other data and methods.
Why is GDPR-compliant hosting important?
The reasons why GDPR-compliant hosting is important are simple: complying with the General Data Protection Regulation is mandatory throughout the EU. If you don't comply, you face hefty fines. Therefore, you should ensure that your website always complies with the latest regulations. This has the positive side effect that you are perceived by customers as a trustworthy provider. Another positive side effect: if you comply with the GDPR, you automatically document all relevant data that you need to hand over to the authorities in case of a data breach as part of your obligation to notify.
Requirements for GDPR-compliant web hosting
If you want to operate your website in compliance with the GDPR, pay attention to the following points:
Privacy Policy
That you act in a data protection compliant manner should be a matter of course on your website. But it is also important that you inform users via a privacy policy about what personal data you collect and how you process and protect it. In such a statement, your customers will find information about their rights and obligations. A privacy policy must be provided to visitors of your website in an easily understandable and transparent form before or at the time of data collection.
Your privacy policy should include the following information:
Your identity and contact details and possibly those of the data protection officers.
The purposes for which the personal data are processed.
The legal basis for processing.
Information about the recipients to whom the data may be disclosed.
The planned duration of storage of personal data or criteria for determining this duration.
The existence of a right to lodge a complaint with a supervisory authority.
Information about the processing of data in connection with the use of cookies and similar technologies.
You should ensure that the privacy policy is regularly reviewed so that it always complies with the applicable data protection laws.
In addition, you must create documents for the authorities that prove how you implement the GDPR measures. This also includes any contracts with sub-companies, technical and organizational measures. You can find more on this topic further down in the section “Emergency plan and 72-hour rule”.
Disclosure of data
Personal data may only be disclosed under certain conditions according to the GDPR. This is the case when:
The affected person has given their express consent to the disclosure of their data.
The processing is necessary for the performance of a contract in which the affected person is involved.
The processing is necessary for the fulfilment of a legal obligation to which you are subject as controller.
The processing is necessary to safeguard a legitimate interest of the controller or a third party, provided this does not conflict with the fundamental freedoms and rights of your users.
In addition, you should bear in mind that the disclosure of personal data is only permitted to countries that provide adequate protection for this information.
Encryption
Both encryption of data transfer and data storage are required for GDPR-compliant hosting.
Encryption of data transfer: To ensure that the data are protected during transmission over the Internet or other networks, you should use the protocols Transport Layer Security (TLS) or Secure Sockets Layer (SSL). These encrypt the data exchanged between your users and the server and prevent third parties from intercepting or altering the data.
Encryption of data storage: To ensure that the data are also protected on the servers, all personal data should be stored encrypted. This can be done by encryption at file or block level. Examples are encryption technologies such as Advanced Encryption Standard (AES) or RSA.
It is important to note that data encryption must be applied not only to the data themselves, but also to the backups, archiving, and when erasing data. You must also be able to document the encryption measures and present these to the responsible authorities if necessary.
Plugins & Third Party Widgets
Plugins are a popular way to visually and functionally enhance your website. WordPress in particular is known for offering thousands of extensions to you as an admin. You should also keep an eye on this from a GDPR perspective: not all plugin manufacturers comply with the guidelines of the General Data Protection Regulation – for example, when the provider is from a non-EU country. In such a case, you should not use the corresponding plugin for your site at all. The same applies to data processing by third parties: If they do not act in accordance with GDPR, your site is also deemed non-compliant.
Order processing
If you pass on personal data to processors, this is called order processing. The processors are obliged to process the data in accordance with your instructions and the applicable data protection laws. Examples of this are hosting data, conducting analyses or sending emails using a newsletter tool.
Emergency plan and the 72-hour rule
Unfortunately, even the best protection does not offer 100% protection against data breaches or attacks by hackers. If you detect such an incident, it is important to act quickly. Therefore, you should definitely determine in advance how you proceed, so that the affected persons can be informed immediately and the data leak can be fixed. Your emergency plan should contain measures to detect, report and manage potential data protection incidents, and regulate communication with the affected persons and the supervisory authorities.
Some of the most important components of an emergency plan within the scope of the GDPR are:
Identification of possible data protection incidents
Processes for reporting and investigating data protection incidents
Procedures for minimizing the impacts of a data protection incident
Communication procedures with affected persons and supervisory authorities
Training and sensitization of employees to data protection incidents
It is important to stress that your emergency plan should be updated regularly to ensure that it is always up to date and tailored to the current requirements and needs of your business. Also ensure that you adhere to the 72-hour rule of the GDPR:
The GDPR's 72-hour rule is a requirement that states that you must inform the supervisory authority within 72 hours of becoming aware of a data protection incident (e.g. a hacker attack or a loss of personal data). The notification must describe the nature of the incident, the affected persons, the affected data, and the measures taken to minimize the impact.
Imprint
The obligation to provide an imprint has not only been in existence since the introduction of the General Data Protection Regulation in 2018. However, it is an integral part of a legally compliant site. In the imprint, users find details about who is responsible for your website. The following information should generally be included:
Names and address of those responsible for the website or online offer.
Contact details such as telephone number, email address, and other means of contact.
For companies: the commercial register number as well as the value added tax identification number.
For registered clubs: the club register number and the address of the club register court.
For self-employed persons or traders: professional title, as well as the applicable supervisory authority.
If available: The names and address of the data protection officers.
For online shops: information on the obligation to provide information for distance contracts, such as on return rights or delivery conditions.
As always, inform yourself regularly about any legal changes so that your imprint always meets current requirements. Furthermore, it is important for you to note: The imprint should always be as easy to find as possible. Ideally, you should therefore include it in the footer of your homepage.
Tracking
The tracking of your users' data is an essential component to draw conclusions about their behavior and optimization of your site. Nevertheless, you must also act in accordance with the GDPR here. For example, you should ask your visitors for their consent to collect this data when they enter the website. Make it clear what data you collect for what purpose and give the option to refuse the tracking of optional data. Tracking is in itself a huge area and would go beyond the scope of this article. Just be aware at this point how important the topic is and that you need to act accordingly with care and responsibility.
Tools for a GDPR-compliant web site
There are many helpful tools that can support you in implementing GDPR-compliant hosting. We briefly introduce you to two kinds and the most popular tools on OMR Reviews:
Data protection management software
As the title already suggests, data protection management software (DPMS) helps you implement data protection guidelines on your website. These tools comprise a range of features that allow you to protect and manage data. These include:
The automation of data protection processes, such as obtaining consents.
Tools for classifying and encrypting data.
Functions to monitor accesses to and changes to data.
Reporting functions that enable companies to comply with applicable data protection laws.
DPMS solutions can also be controlled via a UI/UX and are designed so that both IT and non-IT departments can use them.
In Germany, there is the data protection management system as per BDSG, which describes companies that meet the requirements of the BDSG (Federal Data Protection Act) and supports the company in implementing the data protection requirements. Some of the most popular providers on OMR Reviews for these tools are:
Consent Management Software
A Consent Management Software or Platform (CMP) is a software solution that allows you to manage the consents of users for the use of cookies and other tracking technologies on your website. These tools can be part of one of the aforementioned data privacy management solutions. But there are also standalone Consent Management Softwares. CMPs give users the choice of which types of cookies they want to accept. You on the other hand can track these consents and adjust them if necessary. CMPs also help companies comply with applicable data protection laws. The most popular providers for users on OMR Reviews include:
Conclusion: Hosting in compliance with GDPR
If you operate a website, compliance with data protection regulations should be one of your biggest priorities. And not just because it provides your customers with a trustworthy business basis. Compliance with the GDPR is also important to avoid potential hefty fines. The right concept for data protection should therefore be part of your website planning from the start. Fortunately, this complex topic can be made somewhat simpler with the tools mentioned above. We wish you lots of success with GDPR-compliant hosting! By the way: In our other guide we show you how to create your newsletter in compliance with GDPR.
Nils ist SEO-Texter bei OMR Reviews und darüber hinaus ein echter Content-Suchti. Egal, ob Grafik, Foto, Video oder Audio – wenn es um digitale Medien geht, ist Nils immer ganz vorne mit dabei. Vor seinem Wechsel zu OMR war er fast 5 Jahre lang als Content-Manager und -Creator in einem Immobilienunternehmen tätig und hat zudem eine klassische Ausbildung als Werbetexter.
