GDPR: A Shared Responsibility for Data SecurityWe recently posted about the upcoming GDPR, which becomes law on May 25th 2018. In that post we outlined more broadly what the GDPR is, and we touched on one of the concepts that this regulation brings in - the shared responsibility for data security. In this post, we will be expanding on this shared responsibility and, more specifically, outlining our responsibilities and measures in place to keep your data secure.
Data Controller & Data ProcessorThe GDPR recognises that there are both data controllers (who determine what data is collected) and data processors (who process/store/have access to that personal data, but who don't control or own it). The controller determines the purpose and means of processing personal data, and the processor is responsible for processing personal data on behalf of the controller.
"Processing" can mean many things in the context of the GDPR, but we will be focusing this article principally on our role as a web host. In essence - if you host your website with Kualo, and collect personal data from EU residents, you would be considered the data controller, and we, as your web host who run the servers that store this data, would be considered the data processor.
It is important to note that there may also be other data processors involved, beyond Kualo. For example, if you share any of the data you collect with other entities (i.e. bulk email providers, remotely hosted live chat providers, CRM systems, delivery/courier companies etc.) or if you contract another company to collect data on your behalf (for example, if you contract a telephone call centre to handle inbound calls) - these would all also be classified as data processors.
As data controller, you own the data, and data processors are any entities who store or who have access to that data, but which don't own it.
GDPR stipulates that both data controllers and data processors have duties with regard to customers, supervisory authorities and more. This is what we mean by a 'shared responsibility for data security'.
The Obligations of a Data ProcessorThe general obligations of a Data Processor are outlined in Article 28 of the GDPR. The first paragraph is aimed mainly at the data controller - and it outlines that the onus of liability is with the data controller to only contract a GDPR compliant processors. But what are the obligations of a data processor?
As a data processor, we are obligated to:
- Ensure that our processing activities are governed by a legal contract, which includes a number of stipulations as outlined in Article 28.2.
- Only act on the written instructions of the data controller (Article 29).
- Co-operate with supervisory authorities (such as the Information Commissioner's Office) in accordance with Article 31.
- Ensure the security of its processing in accordance with Article 32.
- Notify any personal data breaches to the controller in accordance with Article 33.
- Provide notice to the controller of the intended use of any new sub-processor (Article 28.2)
- If a sub-processor is used, ensure that it is also GDPR compliant (Article 28.4)
So how do we comply with this?
Legal ContractWhen you enter into any services with Kualo, you agree to our terms of service. We have been working to update our terms of service, and in the coming weeks we will be announcing a change to these terms so that they include all of the necessary clauses required of a Data Processor under the GDPR.
Acting on your Written InstructionsThe data you store with us is yours. We will never misuse that data or pass it to a third party without your express permission. We will not delete your data so long as your contract with us remains in place (at the end of your contract, or upon termination due to non-payment, we will reserve our contractual right to delete your data).
Co-operate with a supervisory authorityWe may be asked to co-operate with a supervisory authority such as the ICO, and we are obligated to do so.
Ensure the security of our processingWe already take a number of measures to protect the availability of your data, and we will continue to do so.
- Our datacentres are designed to be highly available through and through, with power systems, networking and cooling incorporating multiple levels of redundancy. Physical security features 24/7 on site human security, access control systems including iris scanning, CCTV, motion detection, fire suppression systems and much more.
- We implement best practice server hardening on our servers, which is implemented upon server setup, and on an ongoing basis. Our shared servers all incorporate a secure caged file system and incorporate multiple firewall layers, and we also have network-wide DDoS protection.
- SSL/TLS encryption is implemented on all of our servers to encrypt communication to and from the server via web, email and FTP access. We issue free SSL certificates to all customers, though it remains the responsibility of the customer to ensure that these are used on their website or application (again, security is a shared responsibility - we cannot force you to use encryption, but we can make it available for you to use).
- Maintaining excellent uptime is what our business depends on, and so much of our energy is directed at ensuring that our service is extremely reliable, and we aim to provide 100% uptime. We guarantee 99.9% uptime per calendar month on all managed services, or 100% uptime on Enterprise Hosting contracts.
- All technical staff have access to data stored on all of our servers, though this access is limited to those members of staff who require access for their job function. Any staff who do not need to access our servers to perform their role, will not have access to your data. Any staff with access is subject to our own internal data protection policy and are committed to protecting your data.
- We take backups of all of our shared servers as standard, and those backups are available to you via your control panel. For customers with their own virtual or dedicated server, we take backups provided this is part of your contract with us. Per Article 32 of the GDPR, it should be noted that the responsibility to take backups is also that of the data controller, and as such, we also continue to recommend that our customers take care to implement their own backup processes, as it is never possible to guarantee that backups will always be error free.
Notifying you of personal data breachesIf we become aware of a data breach affecting the data that you store with us, we will inform you via our helpdesk so that you can take action accordingly.
Sub-processorsAs part of our contract with you it may be necessary for us to engage sub-processors. For example, it is necessary for us to engage a sub-processor to register a domain name, or an SSL certificate. Similarly, it may be necessary for us to provide another entity with access to our servers, for example, technicians at cPanel, Inc., so that they may resolve issues with their control panel software as installed on our server. We will only engage sub-processors who are GDPR compliant, and our terms of service will therefore include a clause that gives us a general written authorisation to use GDPR compliant sub-contractors, who are thereby fully adherent to the principles enshrined in the GDPR.
One notable examples of the GDPR in practice, are the changes that are coming into play for domain registrations and the WHOIS database. From 25th May, the Whois Database will be going dark - no personal data will be displayed in the WHOIS results for domains registered by EU residents, meaning an end to the scourge of spam emails and calls as a result of registering a domain name. Win!
Are you also a "data processor"?If you are using one of our reseller plans and are providing hosting space to your end users, or even if you are a web developer who has purchased a standard hosting plan for one of your clients, you are also considered to be a data processor, and we would be a sub-processor for that data. If the websites you have created or the hosting plans you sell are used to collect personal data on EU residents, then you should also ensure that you meet all of the necessary legal obligations of a data processor.
This will involve ensuring that your terms of service are adjusted to incorporate all of the provisions required of a data processor by the GDPR, along with a general understanding of your obligations as outlined above.
If you are in any doubt, we recommend that you seek legal advice to ensure that you can also meet full GDPR compliance by the May 25th deadline.