GDPR Anniversary: Looking Back at One Year of Compliance
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. As we approach the first anniversary of the GDPR, it’s time to look back at the impact of the EU’s stringent privacy regulations on ServerMania, our customers, and online business in general.
When the EU introduced the GDPR, there was a great deal of uncertainty (and misinformation) about what it meant for businesses inside and outside the EU. How eager would Data Protection Agencies (DPAs) be to punish businesses by fining them or removing their ability to process personal data? Would small businesses be wiped out by massive fines for minor transgressions? How would the GDPR be applied to businesses with European customers who are based outside of the EU?
A year on, we have a clearer view of how DPAs enforce the GDPR and the consequences for businesses that fail to comply.
What Is the GDPR?
The GDPR is a collection of regulations that apply to businesses that process the personal data of individuals in the EU. It aims to give people control of personal data, which is any data that can be used to personally identify them. The GDPR specifies:
- Legitimate reasons under which businesses can process personal data, including consent, contract, and legal obligation.
- A set of individual rights for data subjects, including the right to be informed, the right to see personal data held by companies, and the right to have personal data deleted upon request.
Businesses that process personal data without a legitimate reason or that prevent data subjects from exercising their rights face fines of up to €20 million or 4 percent of global revenue.
You will find more infographics at Statista
The GDPR at One Year
GDPR enforcement started slowly as national DPAs were created and began to investigate complaints. In the early months, the DPAs were more likely to offer businesses guidance rather than fine them. Many businesses weren’t ready for the GDPR and the DPAs were willing to give them time to bring data handling processes into compliance.
The grace period lasted a few months and is now over. DPAs are actively enforcing the GDPR, and numerous non-compliant businesses have been fined. Google was stung by one of the biggest fines to date. France’s National Data Protection Commission fined Google $57 million for lack of transparency in the collection and handling of data used for personalized advertising. EU-based businesses, and businesses based in the U.S. and internationally, received fines.
The GDPR has also served as an example for privacy regulators across the world. The California Consumer Privacy Act (CCPA) was inspired by the GDPR, although it differs in some key aspects. Countries including Norway, Switzerland, South Korea, Brazil, and India are working towards stricter regulation of personal data.
In its first year, the GDPR had a significant impact on the way businesses collect, process, and store data. The most visible manifestation are the consent banners that regularly frustrate consumers. But the real impact is deeper: the GDPR gave businesses a much-needed nudge in the direction of improved security and privacy. Greater respect for the rights of consumers to control personal data is becoming an international norm.
ServerMania and the GDPR
Under the GDPR, a server hosting provider like ServerMania is considered a data controller: We collect and process personally identifiable data to provide services to our customers. That includes names, contact details, payment information, analytics data from our website, and so on.
We collect and process that data in compliance with the GDPR. That means:
- We only collect data when the customer has given their consent or under the GDPR’s other justifications for collecting data.
- We explain why we are collecting the data in clear language and give customers the opportunity to opt-in.
- We only use personal data for the purposes stated when we asked for and received consent. We only use the data in the ways that customers have agreed to.
- Customers can withdraw consent or request that their data is corrected or deleted at any time. We allow customers to request their personal data and we give it to them in a structured and machine-readable format.
ServerMania takes the privacy and security of customer data seriously. We have always stored data in a secure environment in our SSAE16-certified data centers. Both our Terms of Service and Privacy Policy statements comply with the GDPR and communicate our data privacy policies clearly
Our Privacy Policy states in clear language how and why we collect, use, process, and share your data. It includes an information security section to communicate the steps we take to keep personal data safe. Our Cookie Policy clarifies what cookies are and how we use them.
As a data controller, ServerMania is responsible for ensuring that the third-party services we use also comply with the GDPR. We use services such as ActiveCampaign for email, Stripe for payments, and Google Analytics. All third-party services comply with the GDPR and have a GDPR-compliant privacy policy.
Finally, the Surge control panel makes it easy for ServerMania customers to make requests concerning their personal data.
Although ServerMania is a Canadian company with a significant U.S. presence, we have facilities in the EU and many of our customers are based in Europe, so we regularly process the personal data of EU individuals. We strongly believe in data privacy, which is why our privacy policies apply to all ServerMania customers, not just those in the EU.