Unless you’ve been living under a rock for the past few months you will no doubt have heard about GDPR.
GDPR is new EU General Data Protection Regulation that replaces the old Data Protection Directive and comes into force on the 25th May, 2018.
The new regulations apply to any business that processes the data of any individual who resides within the EU, so even if your business isn’t based within the EU, you still need to comply with the new regulations if any of your clients (website visitors) are from the EU.
One of the main aims of the new legislation is to ensure companies are more open and honest about what data they collect from you, and how this data is used. It also gives you, the customer, the ability to request any personal information held about you to be deleted. Failure to comply with this would mean the company would be in breach of the GDPR regulations.
As a web host we have been asked a number of questions about GDPR from our clients, so we thought we would put together this blog post to clarify things. The post will be split into two parts; the first will detail the data that D9 Hosting collects from you, our customer; the second will detail how your hosting account works in respect of GDPR, and any changes you may need to make going forward.
Part 1 – Aimed at the D9 Customer
When you signed up with D9 Hosting we collected the following personal information from you:
– Business Name (if applicable)
– Email Address
– Postal Address
– Phone Number
– PayPal Email Address (if applicable)
– VAT Number (if applicable)
– IP Address
These details were collected in order to allow us to fulfill web hosting and domain registration orders placed by you.
As well as the data listed above, if you pay your invoices via credit or debit card, we will also store the last 4 digits of your card number, the card type and the card expiry date.
This data is stored by D9 Hosting on a Dedicated Server located in the USA. The only people with access to this data are D9 Hosting staff. Access to this data is restricted by IP address, meaning unless you are physically sat in one of the D9 offices, the data isn’t accessible.
The data is backed up multiple times on a daily basis. The backups of this data are stored in 3 different geographical locations to provide us with multiple levels of redundancy. Two of these backup locations are in the USA, with the third location being in the UK. D9 Hosting staff are the only people with access to these backups. All backups are stored for a maximum of 30 days at which point they get overwritten by more recent backups.
You are able to view all information that D9 Hosting stores about you at any time from within your D9 client area by visiting the “My Details” page. We have never, and will never, share your data with a 3rd party for marketing purposes.
On occasions, it is necessary for us to share certain aspects of your personal data with 3rd parties to be able to provide you with services. For example, when registering a domain name on your behalf, we have to share your personal details with the domain registry in order to register the domain.
When you make a payment on an invoice using a credit or debit card your personal data and your card details are captured and stored by our card payment gateway, SagePay. We use a tokenized system which means that no-one at D9 Hosting ever has access to your full card details, these are all stored securely by SagePay.
Part 2 – You, The Website Owner
As a website owner, you are ultimately responsible for ensuring that you are complying with GDPR regulations when people visit your website. We can, however, give you answers to some common questions that should help you comply.
Q1: Do D9 Hosting collect personal information from my website visitors?
A: When somebody visits your website, we store the visitor IP address in the server access logs. This allows us to provide you with statistics about the people who visit your website and also allows us to troubleshoot issues. You can view the access logs for your website by looking in the “access-logs/name-of-domain-here” file.
Q2: Where is the data stored?
A: We have servers located in both the UK and the USA. Our UK servers are hosted in one of the few ISO27001 certified data centres in the UK; our US servers are hosted in a Tier4 facility.
You were given the option to select a server location when signing up, but if you’d like to know if your websites are hosted in the UK or the USA then please do ask us and we will be happy to confirm for you.
If you are hosted on a UK based server then your data is backed up to storage servers in the UK and if you are hosted on a US based server then your data is backed up to a storage server in the US.
Q3: Is my data on the same server as others?
A: Possibly, it depends on your hosting plan.
If you are on a Shared, Reseller or Multi Site hosting plan then you share that server with other users and you are storing data on the same physical server as others. Whilst the security of Shared Hosting has improved greatly over the past few years there is always an inherit risk that comes with storing sensitive data on a shared platform.
If you would prefer your customer/website visitor information not to be stored on a shared platform then we can provide you with a custom VPS or Dedicated Server. This would mean that your data would be the only data stored on that server. We can also perform additional security steps like closing any unused ports, locking down access to only your IP address, and other security measures that aren’t possible on a shared “one size fits all” service. If this sounds like something you would be interested in then please don’t hesitate to get in touch with us.
All data that is backed up is stored on shared backup servers. The only people with access to these shared backup servers are the D9 Hosting staff. Again, if you would prefer your data to be stored on a Dedicated Backup server that is locked down so that only you are able to access it then please do get in touch and we would be happy to set this up for you.
Q4: Do I need to make any changes to emails?
A: Possibly. It’s always a good idea to set up your mail client to use a secure connection, this means that any emails you send are encrypted in transit. This ensures that if a packet sniffer were to intercept an email, the content would be encrypted rather than being sent in plain text. If you are currently using an unencrypted SMTP connection in your mail client we would recommend re-configuring it.
Depending on your own GDPR compliance requirements, you may need to go one step further and have a mailbox that supports “encryption at rest”.
With standard cPanel POP/IMAP email accounts whilst the data can be encrypted in transit, the emails sit in the mailbox in plain text. Encryption at rest means that emails are also encrypted in the mailbox and not just in transit.
Our Hosted Exchange 2016 mailboxes support encryption at rest out of the box and are fully GDPR compliant. Please contact our sales team if you’d like more information on how to migrate to our Hosted Exchange email platform.
We hope this has given you a better idea of how we are handling the new regulations in terms of what data we store about you and why, and also any changes that you need to make to ensure the data that you collect from your website visitors is done so in a way that complies with GDPR.
If you have any questions please don’t hesitate to get in touch with us.