L6Hosting

Guidance for customers that need to be GDPR Compliant

We host websites and services for a diverse set of customers, it’s something that we are proud of, but we do recognise that our customers may sometimes be hosting personal or sensitive information about people from a Euopean country on our services.

If you find yourself or your business in that category then it is your responsibility to be compliant with the European General Data Protection Regulations (GDPR), we (L6Hosting Limited) are in this case a Data Processor and so legally we cannot take any responsibility for the data you choose to store on our services, you are the Data Controller.

As a Data Controller you will need to be compliant with GDPR if you store and process personal data relating to any citizen of a European country, even if you or your organisation is not based in the European Economic Area (EEA). It also does not matter if you are a large company, small business, or even just one person with a single website, regardless of how much data you are storing, even if you are only storing the name and email address of one other person from a European country, you must be compliant to store that data.

To be compliant here are some of the main things you will likely need to do:

1. Write a Privacy Policy that clearly explains what data you collect, for how long, how you process and store that data, and who to contact to make a request or complaint. Make sure you communicate your privacy policy clearly to the people that you are storing data of. Remember people must be given the opportunity to view and accept your privacy policy before they register or sign-up to anything, implied consent is no longer allowed. We are happy for you to use our policy as a template.
2. Conduct a Data Protection Impact Assessment, this should clearly show what data you’re collecting and how it is being stored, keep this safe and make sure it is always up to date.
3. Designate someone, even if it’s just you, as the Data Protection Officer, they should be able to answer any questions about what data you are storing, your processes and policies. It’s likely this will be the same person who handles requests or complaints, but it doesn’t have to be.
4. If required by your local laws, register with the relevant data protection authority (in the UK this is the Information Commissioner's Office and you can register at ICO.org.uk), you should notify them that you are storing personal or sensitive data, even if it’s just you running one website. As soon as you start collecting and storing data about other people, you are a Data Controller and may be required register.

This is not an exhaustive list and should not be considered legal advise or guidance, it is provided for general information purposes only, you can find more useful information on the Information Commissioner’s Website at ICO.org.uk. If you are unsure about anything or need further help you should contact a Data Protection Lawyer or similar specialist.

Remember you only need to do this if you are storing personal or sensitive data about citizens of European country, even if you are not based in the European Economic Area (EEA) but you are storing data about a citizen of a European country then you still need be compliant.