Businesses, large and small, are in the midst of preparing for compliance with the European Union’s (EU) new data privacy laws: The General Data Protection Regulation, or the GDPR, which will go into effect on May 25, 2018.
The GDPR is very broad in scope and can apply to businesses both in and outside of the EU.
Businesses that don’t comply with the GDPR could face heavy fines.
Here’s some information about GDPR. (Note: you should also consult your own legal counsel to determine if you are subject to the requirements of GDPR.)
What is GDPR?
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by European lawmakers to create a harmonized data privacy law across all the EU member states. Its purpose is to:
- support privacy as a fundamental human right;
- require companies that handle personal data to be accountable for managing that data appropriately; and
- give individuals rights over how their personal data is processed or otherwise used.
What is personal data?
In a nutshell, GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Ok, so what does that mean?
In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can also include information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.
It also could mean information about a person, including their physical, mental, social, economic or cultural identities.
Therefore, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be considered “personal data” under the GDPR. You can find out more about the GDPR here.
What rights does the GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
- Right to be forgotten: Individuals can ask to delete their personal data.
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.
What is Bluehost doing to comply with the GDPR?
Where required, we will also support you, as a Bluehost customer, in fulfilling GDPR related data subject requests you receive from your contacts.
Also, from May 25th, we will not publish the personal data of domain name registrants located in the EU in the WHOIS. This is to ensure our WHOIS output is compliant with the GDPR.
However, access to personal data of domain name registrants may be granted when such access is necessary for technical reasons such as for the facilitation of transfers, or for law enforcement when it is legally entitled to such access.
“Controllers” and “Processors”
Generally speaking, there are two types of parties that have a responsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine if you are acting as a controller or a processor and understand your responsibilities accordingly.
A “controller” determines the purposes and means of the use of personal data.
A “processor” on the other hand, only acts on the instructions of the “controller” and processes personal data on their behalf.
So, what does this mean?
Bluehost can be either a “controller” or a “processor” depending on the data processing activities that are being performed.
Usually, Bluehost is a controller in relation to the personal data that you provide to us as a customer. In certain circumstances, you are acting as the controller, for example, when you decide what information from your contacts or subscribers is uploaded or transferred into your Bluehost account.
How does the GDPR affect my business?
Individuals, companies, or businesses that have a presence in the EU or, if no presence, offer goods or services to, or monitor the behavior of, individuals in the EU need to comply with this law.
We are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms), as well as notices, policies and internal processes, features, and templates to assure our compliance and help you achieve compliance.
Please consult with your own legal counsel about whether GDPR applies to you and your business and what actions you need to take to ensure that you comply with the GDPR.
What do I need to do differently to comply with GDPR?
If the GDPR applies to you, there are various obligations you will need to comply with in order to continue doing business with your customers from the EU. Luckily, not all of these obligations are new, so you should be complying with some of them already.
The most important differences in this context are as follows:
- More information about your use of personal data must be communicated to your customers. You should make sure that your privacy notices/policies are updated to reflect the new requirements of the GDPR, including setting out the purposes of your processing personal data, how long you are retaining such data, and what legal basis for use of personal data are you relying on. As a customer of Bluehost, your agreement to our Terms of Service requires you to lawfully obtain and process personal data appropriately, including that of EU Individuals as part of the GDPR.
- You should determine the legal basis for your use of personal data: If you are relying on consent to use your customers’ data you should ensure that the consent you have meets the new requirements of the GDPR . Please note that sending marketing emails or showing promotional content in any form to your customers may require, in certain circumstances, prior opt-in consent from them. As a reminder, you have already agreed through acceptance of our terms of service to lawfully obtain and process all personal data appropriately and have attested that you have permission to expose your customers to promotional content.
- You will also need to comply with the rights provided to individuals by the GDPR. See section above “What rights does the GDPR provide to individuals?” for details.
You should consult with your legal counsel on the above and your other obligations under GDPR.
What if you have more questions about GDPR?
If you have specific questions about GDPR, please, contact Support.
The rules contained in the EU Directive on Privacy and Electronic Communications is under review and we are expecting a new ePrivacy Regulation to be finalized soon.
Once these new rules are finalized, we will be reviewing our forms and features again to provide our customers with the necessary tools to achieve compliance.
NOTE: The information included on this page is meant to guide you through the process of understanding GDPR and is not a substitute for legal advice. Find more information on the GDPR website.