While I was preparing for GDPR I made some assumptions which I didn’t realise were wrong until almost too late, and frankly I’m still confused about Article 28 paragraph 3. (Yep, I quote regulations now).
If you run any kind of website that stores people’s details, you might want to check this out too.
Some background –
- In plain English: My website stores your email address on my hosting provider’s servers.
- In GDPR speak: I am a Data Controller and the host is a Data Processor.
Under Article 28(3) I must have a specific contract with my hosting provider that extends my GDPR obligations to them. This goes for any service provider that you use to store or process personal data that isn’t your own. In my case it includes Linode, Stripe, AWS and MailChimp. (I also use Google Docs and DropBox, but I’ll come to those later).
No problem, of course I have contracts with these companies. They will just update their terms of service and all will be nice and legal. Unfortunately it’s not that simple, and the next person who tells me “you don’t need lawyers” is going to get an earful.
In order to be GDPR compliant your web host will offer you a “Data Processing Addendum” if you require it. This supplements your existing agreement and contains specific terms in order to precisely meet the requirements of Article 28 (3). It’s boring, but you should read it. You will explicitly agree to it.
So, if you run a website that processes any personal data and haven’t signed a DPA with your hosting company, then you are not GDPR compliant. If you missed that like I nearly did, look into it! They may not bother telling you.
I was lucky that Linode were forthcoming about this and wouldn’t allow me to continue running the servers without the addendum in place. However, all the other providers I mentioned assumed I would know about DPAs and seek out the information in the sea of other GDPR blurb on their websites.
If you use AWS, like god-knows-how-many small tech companies do, the DPA information is buried here. (requires sign-in).
UPDATE: The DPA is now covered under AWS standard terms.
See the announcement posted three days before GDPR came into effect.
Audits and inspections
Here’s a fun clause. Article 28(3)(h) says you can audit your hosting provider and carry out inspections, yourself. Seriously. – BUT – The regulation doesn’t seem to provide any framework or limitations to this. The ICO doesn’t provide any useful information about this either. All they say is that your supplier must provide all the information that is needed to show they’re meeting their obligations of the contract.
28(3)(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Who says what information is “needed” or “necessary”? It’s not clear, but service providers are going to avoid you auditing them because they’re not stupid. They will say that either you don’t need to audit them, or you’ve already agreed you’re satisfied. They will mention their certifications (like ISO/IEC 27001) and hope you’re just going to go away. Of course you are, but I would love for someone to request to audit Google and document how that plays out.
In reality I do trust my hosting provider’s certifications, but I don’t see anything in the regulation that says I must do. This is where we get into the wording of your contract.
My DPA with Linode (who incidentally I think are a good and fair company) states that I AGREE :
[that] the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks […]
So basically I’ve already agreed that I’m satisfied with their ability to meet their obligations, and effectively state that I won’t need to audit them. Pretty good ammunition if I ever try to exercise my right.
Of course I’ll never bother, but it’s pretty sneaky considering I was presented with this contract 7 days before the GDPR came into effect.
What if you are also a Data Processor?
I had happily decided some time ago that I am only a Data Controller, not a Data Processor. I store your email address so you can log in to the site, but you shouldn’t be uploading other people’s personal data to my server. That’s not what the site is for, so why would you? This however, did not stop customers asking for data processing contracts. Possibly because they were routinely asking every “cloud” company for one. This made me realise that although personal data processing is not what the service is for (i.e. I do not act on instructions from data controllers), there was nothing to stop it being abused for that purpose. Would the lack of “instructions” be enough to avoid the definition? Who would be liable if it wasn’t? I have no idea. Maybe both parties. (You don’t need lawyers, remember?)
Being a one-person company I cannot possibly have any one of my 50,000 users turning up to audit my servers or inspect my premises, nor afford the lawyers to put them off. I phoned the ICO’s small business helpline about this, and – although I thoroughly recommend the service – it was obvious this wasn’t a common question. It seems this is a “big company” problem.
In the end I decided to update my acceptable usage policy to make my position clear. (Don’t upload personal data that isn’t yours!) It feels like a Bandaid solution, but looking at various other (much larger) providers I don’t see how they can operate legally without offering a DPA. What happens if you upload personal data into a Free DropBox account? I’ve asked them several times and still don’t know.
No DPA for FREE accounts
The firms I mentioned above are all paid-for, B2B services, but I also have accounts with Google and DropBox and many other so-called “cloud providers”. I deliberately avoid passing customer data to these providers, but I’m willing to bet many small business ARE using them for this purpose. I wonder how many Spreadsheets out there contain personal data and are stored in Dropbox, Google or Apple’s free storage plans.
Your free account with one of these providers will almost certainly not include a GDPR-compliant DPA. I know this is the case with DropBox and pretty sure it’s the case with Google too unless you have a GSuite account for business use.
DropBox outright refused to answer my question. All their Data Protection Officer was able to do was send me to read their acceptable usage policy (which I’d read) and which does not explicitly say personal data processing is prohibited. I asked them for a yes/no response. Allowed or not? They refused to say.
As with many providers, their policy pretty much says “don’t do illegal things”. So – not being a lawyer – does that mean they’re off the hook and I’m liable?
If you know the answer that, let me know on Twitter. I’ve disabled comments on this blog for now, because you know …