Web Hosting and GDPR Compliance – What to Look For

The GDPR can impact all areas of your business, including where you host your website. Here’s how to make sure that you are hosting your website(s) with a GDPR-compliant web host.

As explained in our comprehensive guide to web privacy and WordPress website GDPR compliance, the General Data Protection Regulation, or GDPR, can affect anyone doing business anywhere, especially online.

So, it’s not only important to make sure that your website is GDPR-compliant but your web host too!

In this article, we’ll cover:

Let’s follow the bouncing ball…

Your web host does not want to be fined for non-GDPR compliance, especially if your site causes the issue.
Like any business, your web host is also responsible for complying with all GDPR laws and regulations.
Your web host’s clients include anyone hosting sites on their servers (e.g. you). Your web host, therefore, must comply with the GDPR in relation to you (i.e. their client)
You must comply with the GDPR in relation to your site’s users and visitors.
So, under the GDPR, your web host must respect and protect your rights to data privacy and security, just as you must respect the rights of your site’s users and visitors.

But…what happens if someone raises a compliance issue with your web host that was found to be caused by your site’s users or visitors?

For example, under the GDPR’s right to be forgotten, a EU citizen can request that all of their personal information and data be deleted from your website.

This means that you must delete any and all of their personal data that may be stored in your computer (e.g. email communications), backups, cloud storage, etc., including any server logs and other account-related data stored elsewhere (e.g. your web host).

Wait…what?

But that’s crazy!

First up, how can your host completely erase any data that may contain your user’s personal details and any correspondence you may have had with that person without also deleting your website data, emails, etc.? Their only safe option would be to completely “nuke” your account.

Second, how do you know your host has actually complied with your request when you have no access to their internal workings and dealings?

Yes, the GDPR is the law, but it is by no means clear-cut in its implications.

A GDPR-compliant web host must protect their own business while also providing their clients with transparent communications on the methods they are using to remain compliant.

This will reduce the probability of GDPR issues for your website, but it will not automatically make your website GDPR-compliant and eliminate all your GDPR problems.

So, for your own business’ sake, it’s important that you know…

The GDPR is all about how personal data and information is collected, handled, used, processed, and stored.

Most of the information your web host collects and stores about your site’s users should be made accessible to you. This includes your WordPress database, site backups, and folders and files in server directories.

However, there are other areas where a web host can store data about your users and visitors. These include:

Server Logs

The GDPR defines internet protocol (IP) addresses and cookie identifiers as personally identifiable information (PII) which must remain protected and secure under its privacy laws.

A web host’s server logs may contain identifiable IP addresses. IP addresses can be static or dynamic. Distilling PII from dynamic IP addresses is harder than obtaining it from static IP addresses but it can done using certain tools and methods combined with specialized skills (e.g. criminal forensics).

Databases

Your WordPress site’s database is stored on your host’s servers and should be accessible to you (i.e. the site owner). However, your host may use third-party tools to extract, gather, and compile data from hosted databases to an additional database to try and better understand what kinds of applications their hosted sites are using.

CDN

A Content Delivery Network (CDN) may temporarily store cached web log information of your site visitors (e.g. IPs, referrer, location, etc.) and serve stored files and images of your site from other countries.

In order to set up your account and provide you their services, your web host must collect information about you and your business.

This can include your name, contact details, and information about your business, as well as email correspondence, chat logs, support requests, etc.

Everything that you are expected to do with your site’s users and visitors to comply with the GDPR is also expected of your web hosting company when dealing with you.

So, this brings us to the main point of this article…

When assessing a web host for GDPR compliance, look for the following documentation:

Privacy Policy – This should clearly specify how your web host will collect, use, share, process, and protect your personal data, how complaints will be handled, and how you will be notified of any changes to their policy.
Data Processing Agreement (DPA) – This document regulates your web host’s responsibilities when processing personal data on behalf of their customer in the course of providing services and is subject to various data protection laws (e.g. European Union, United Kingdom, US, etc.)

You should be able to clearly understand the language and methods used to process and handle your data. This information should be transparent, not be written in legalese, and should be made easily accessible (i.e. not buried under layers of pages and fine print.)

Here are some of the things to look for in the above documentation:

You should provide only minimum data and be in control of it

Your host should only collect the absolute minimum data required to provide you with their services, process your orders, keep you updated about scheduled maintenance, and send you important information related to the services you use (e.g. your contact details and billing information). Also, only employees that are directly involved with the provision of those services should have access to it.

Additionally, you should be able to edit and download your data and request the deletion of your profile through your customer account area.

Your data should only be shared with secure partners

In order to provide services, your host may need to share some of your data with external providers (e.g. domain registrars, data centers, SSL providers, content delivery network (CDN) providers, email marketing services, etc.).

In addition to only partnering with GDPR-compliant third-party services, your host’s documentation should also provide a list of all partners they may share your data with, so you can verify that they also meet all data protection standards.

You should have control of your email subscription preferences

Your host may ask you to subscribe for updates, tips, important announcements, special offers, etc. The GDPR requires all companies to obtain express consent from users to obtain and use their email address and to allow you to easily opt-out or modify your subscription details and preferences at any time.

Only aggregated and anonymized browsing data should be collected

As mentioned earlier, your host may collect and store data in areas like server logs and additional databases to help them better understand their services and improve their site’s performance, resolve issues, and identify ways to optimise and improve their products and services.

It’s important that none of this data be linked to personally identifiable information, except where deemed necessary to prevent fraud or abuse on their site. This can be done using data protection technologies (e.g. firewalls and data encryption), practices (e.g. minimal data collection), and methods (e.g. pseudonymization).

Processing of data uploaded on your account

Like all businesses that collect, handle, and store data about their customers, hosting providers also have responsibilities and obligations as a data processor.

In addition to explaining in their Privacy Policy and Data Processing Agreement how GDPR criteria for processing and securing your data will be met, how potential breaches of your personal data will be handled, and how your requests to exercise any of your personal data rights as outlined in the GDPR will be processed, your host should also have a designated Data Protection officer who can address any and all questions you have related to your personal data.

As you can see, choosing a GDPR-compliant hosting service is very important.

Although this will not make your own website GDPR-compliant, choosing a GDPR-compliant company that provides web hosting with trustworthy transparency, a clearly-written and easy to understand Privacy Policy and Data Processing Agreements covering all required criteria, and that communicates openly and honestly at all times with its customers on all areas of data privacy, processing, and security will go a long way toward strengthening and boosting your own compliance.

At WPMU DEV, we’re not only very proud of the hosting service we provide to our members, but we have also taken every conceivable step to ensure that we are and will remain GDPR-compliant not just for our own business’s sake, but also for your peace of mind.

Follow our privacy and GDPR compliance guide for your business and check out our Privacy Policy or request our Data Processing Agreement to learn how we can help you improve your GDPR compliance.

Have you experienced any challenges making your business and website GDPR-compliant? Share your thoughts in the comments below.