The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a new EU law which affects all organisations that hold and process the personal data of EU citizens.
In compliance with the General Data Protection Regulation (GDPR), we are responsible for protecting the personal data we collect from our clients upon sign up (name, email, address, password, billing data). We must also ensure that our clients’ data hosted on our servers during their usage of our services is also protected. We collect, store and work with our clients’ data in a legitimate way and we want to inform you of how we do this. We would also like to provide transparency as a processor on the way we store the data our clients host on our servers.
The GDPR says we have to inform clients what data we collect about them and legitimise how we use it afterwards. We only collect a minimal amount of personal data that is required to deliver the hosting service to your company. We collect your physical address for invoicing and tax purposes, your email address to contact you about our service, orders and important information relating to your business with us. We never use any of the data collected for profiling, secondary purposes and we do not sell it to anyone.
2. External Service Provision
Some of the services we provide customers include services from external partners, such as Godaddy, Fasthosts, CDN77, Platinum Server Management, Amazon AWS S3 storage and myJoomla. Some but not all of these services either require client data, or that client data is stored in a secure password encrypted file (i.e. in the case of backups).
3. Internal Procedures and Access-Control
In line with the GDPR we are auditing and enhancing our security, access control and data storage provision. We are adding new procedures where this is required by the new regulation. For example, we are implementing higher levels of security authentication for sensitive data and access control we have to third party companies used by the client, i.e. Domain Registrars and Mailchimp.
4. Mitigating Data Breach, Our Commitment to System Security
We employ third party specialists, Platinum Server Management to provide 24 x 7 x 365 server management and monitoring of our web servers.
Through our server management contract with Platinum Server Management we closely monitor any unauthorised system access and we put multiple preventive measures into action to mitigate the risks of cyber attack. Server systems are regularly updated for this purpose. Some sites also feature an auto-banning protection system actively blocking users/IPs which are detected as behaving against defined rules.
We implement a level of security deemed appropriate for the site we are managing based on our experience. However, if a client requests a higher level of security, such as 2-factor authentication on their website, IP blocking, etc. we can provide a tailored security solution appropriate to their data needs.
5. Data Protection by Design and Data Protection Impact Assessments
Security and protection of clients data is our primary priority. Whenever we develop a new system, security comes as the first design principle of the architecture of a system. Our first goal is to protect the integrity of the new production system. Our second goal is to protect the customer data that is being stored and used by that system.
6. New Data Processing Agreement
Many of our clients operate using the personal data of their own customers. For example, they take orders, they collect emails through sign up forms, they process credit cards, and more. Our client controls their customers’ data and how this data gets collected and used. Haywood Sener stores this data on our servers and therefore takes part in its processing. The new data processing agreement will regulate our processing of that data only for the purposes of delivering the hosting service and resolving technical inquiries and no other secondary functions. This has always been the case. In providing services to our customers we are committed to being a trusted partner, adhering to the principles of transparency, and meeting our obligations under GDPR adequately.
7. Right to be Forgotten
9. Where Are We Now?