How is SiteGround Getting Ready for the GDPR?

We are receiving more and more inquiries from clients asking if SiteGround will be GDPR-compliant. With this blog post, we would like to explain what we have been doing and share our experience with becoming GDPR-compliant, both as a way to inform you what you can expect from us in the next month, before May 25, 2018, and as a way to help you prepare for the GDPR yourselves.

The use of our personal data by big companies is indisputably the hottest topic right now and we don’t think anyone doubts the importance of regulations to prevent abuse and enhance the security of that data.

The European General Data Protection Regulation – GDPR, which will take effect on May 25, 2018 is aiming to do exactly that – regulate how personal data of individuals in EU territory gets collected and used. It defines what personal data is – being literally everything – name, email, username, address, phone number, financial data, age, behavioral data and more, and obliges everyone who collects and processes such data of EU individuals, no matter where that company or person is located around the world, to act in accordance with this regulation.

SiteGround started the process of becoming GDPR-compliant about a year ago and we wholeheartedly look forward to it being enforced. We believe the GDPR is good for users and good for the overall security of the Internet and we have always been acting in line with its main principles. Now our goal is to audit and make public these internal rules, and also make sure we apply the letter and the spirit of the GDPR to all our clients, no matter if you are an EU-resident or a resident of another country.

GDPR Helps Users Stay Informed and Gives Them Control

The GDPR is a really great thing when you look at it from the perspective of the users. When a user signs up for a free or paid service, for an app or else, and provides their personal data, the provider of the service has to notify them explicitly how their personal data will be used before they complete the registration.

Whether that use is for marketing and profiling, or if there is a possibility of the data to be subject of sale or transfer to third-parties, it has to be explicitly stated in advance. Users will be able to say NO to certain types of usage and will have to give consent – opt in – to the Terms of Service and Privacy Policy of the provider, thus making an informed choice. So, big win for the users – more control over their data, less invasion of their privacy, less spam and less intrusive advertising overall!

The Hard Bureaucracy Around the GDPR

The GDPR by design has been aiming to regulate activities of big companies like Google and Facebook that process insane amounts of personal data and are using it to generate significant gains, but at the end of the day, it affects everyone – every small business that works with any personal data.

Even if a company uses data in a completely legitimate way, the new regulation requires specific modifications like rewording its Privacy policy to state explicitly what kind of usage there is, making automation in how the user can access their personal data, and more. Unfortunately, this effort to comply comes costly in both legal fees, time and deviations from standard business operations so one can focus on the GDPR with high priority.

SiteGround Getting Ready for the GDPR

In compliance with the GDPR, a hosting company like SiteGround has two responsibilities – to protect the personal data we collect from our clients upon sign up (name, email, address, password, billing data) and the data our clients collect from their clients and host on our servers during their usage of our services. We have to guarantee that we collect, store and work with our clients’ data in a legitimate way and that our clients are informed how exactly we do that. On the other hand, we have to provide sufficient guarantees and undoubted transparency as a processor on the way we store the data our clients host on our servers on behalf of their clients.

Even though SiteGround has always been acting in accordance with the principles of the GDPR, there is still work to tidy up the processes we follow and comply with the letter and spirit of the law. So here is a list of the major things we are going through and why they matter.

1. Terms of Service and Privacy policy updates

The GDPR says we have to inform clients what data we collect about them and legitimize how we use it afterward.

The good news is that we collect only the minimal set of personal data that is required to deliver the hosting service. For example, we collect your physical address for invoicing and tax purposes. We collect your credit card data because we need to bill you upon purchase.

We collect your email because we need to contact you regarding your orders, the status of the services, important functionality updates and, where you have consented to receive such communications, contact you with newsletters and promotions. We use cookies because they help us show relevant content to our website visitors and advertise based on these interactions. We don’t use any of the data collected for profiling or other secondary purposes and we do not sell it to anyone.

As per the GDPR requirements, our new Privacy Policy will fully describe why and how we collect and process personal information and any client, existing or new, would be able to validate that we handle this information carefully and sensibly.

2. Standard Contractual Clauses and EU-US and Swiss-US Privacy Shield certification

SiteGround is a group of companies, all of which based in the EU with the exception of our US entity. Based on how standard operations are organized, EU clients’ data may be transferred to and processed by our US entity as well, for example, you may choose to host your site in our US data centers.

In accordance with the GDPR, we need to ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to the US jurisdiction. The way we regulate this is through Standard Contractual Clauses*, which will be included in all contracts between our entities to guarantee the transfer of data is compliant with the GDPR requirements.

Additionally, we are working on a certification under the EU-US and Swiss-US Privacy Shield with the Department of Commerce that we adhere to the Privacy Shield Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively, so we can lawfully host EU client’ data on our US servers when that’s needed. We are moving it forward as a second-tier compliance mechanism after the Standard Contractual Clauses.

*The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner.

3. Create annexes to contracts with external providers

Some of the services we sell are provided by external partners – domain registrars like Tucows and Open Provider, GlobalSign for SSL certificates, Cloudflare for CDN and others. They need the client’s data so they can deliver the service.

What we are making sure is that our partners adhere to data protection obligations and responsibilities to the protection of your data the same way we do. This happens by adding annexes to our contracts with these providers where we define their responsibilities as per the GDPR.

4. Internal procedures and access-control enhancements

Given that we have been in one of the toughest on security businesses for 14 years, all our operations are designed following the “security and privacy by default” and least privilege principles. What we are doing in line with the GDPR is auditing and enhancing the security levels and adding new procedures where it is required by the new regulation. For example, we are strengthening our personnel background checks and extending our confidentiality agreements. We enhance our security and incident management procedures with new ones that are in tune with the breach response requirements of GDPR. Another new procedure we introduced is working only with partners that are GDPR-compliant.

5. Prepare a new data processing agreement

Many of our clients operate with the personal data of their clients – they take orders, collect emails through sign up forms, process credit cards, and more. The client controls the data and how that data gets collected and used, but SiteGround stores it on our servers hence take part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions, which has always been the case. Providing the agreement to our customers we guarantee we are a trusted partner, committed to the principles of transparency, and we meet our obligations under GDPR adequately.

6. Right to be forgotten

Under the GDPR every client could request “to be forgotten”, meaning all their data has to be deleted and never used again, except in certain circumstances, which may include having to keep processing your personal information to comply with a legal obligation. An example of such an obligation is the requirement to keep a copy of all invoices to comply with financial and tax legislation. We are now developing a functionality that allows our clients to delete their profiles after all services have been deactivated.

7. Right of access, update, portability and withdraw of consent

Our new Privacy Policy will provide you with full details about how we process your personal data. As a client you should also be able to see what data we store about you, update it and, where we rely on your consent for processing the data, you can withdraw your consent to that use. All our clients could currently see their personal information in the My Details section of their User area and they are able to correct it. Our use of your personal information is necessary to perform our obligations under any contract with you. We rely on your consent only to send you marketing information and promotional offers and we have introduced new preferences that enable you to control your consent for this usage of your data. We should also be able to provide you with a copy of any data which we hold about you. For this, we are working on allowing you to easily export it if needed.

8. Assign Data Privacy Officer

The GDPR says we need to assign a Data Privacy Officer to make sure we are compliant with the regulations and handle complaints. We are assigning a DPO and we educate a small team of people who will be able to assist with inquiries and data protection issues.

Where are We Now?

All of the above things and more are on their way. Some of the items are ready, while others are still work in progress. As we are not in the habit of doing things by half, we have not released any of them yet, but we will do it before May 25, 2018.

We will release updated versions of our Privacy Policy, Terms of Service, and a Data Processing Agreement, but we promise you will not be surprised by the things stated in them as none of the texts actually change the principles which we have stuck to until now.