Nexcess, a provider of performance-optimized, managed WordPress and Magento web hosting, has warned hosting clients that they are rapidly running out of time to prepare for the implementation of new EU privacy regulations. The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, and would impact all hosting clients that collect or process the data of EU citizens.
Although businesses based in the U.S. and other locations outside of the European Union are not typically bound by European legislation, the new framework applies to all organizations that do business in the EU. In the global marketplace of the web, that includes e-commerce merchants with EU customers, publishers with an EU-based audience, and application and service providers with EU users.
The penalties for breaching the GDPR are onerous and include fines of up to €20 million (around $25 million) or 4% of worldwide annual revenue. It would be in the interest of hosting clients around the world to familiarize themselves with the requirements of the GDPR and to take steps to comply.
“We provide hosting for websites and e-commerce stores in the U.S. and Europe, and we are concerned that some hosting clients may not realize that the GDPR affects them and how best to prepare for May 25th,” said Chris Wells, President and CEO of Nexcess. “We would urge all online businesses that collect, even incidentally, personal data associated with users in the EU to familiarize themselves with the GDPR and what it requires of them.”
Opt-Out Changed To Opt-In
EU privacy regulations have long been stricter than those of other areas, but with the introduction of the GDPR, EU citizens gain more rights and those who collect and process identifying personal data from EU citizens gain more responsibilities.
The most important new responsibility for web hosting clients is that EU citizens must give consent before their data is collected. Consent must be actively given so opt-out interfaces should be changed to opt-in. EU citizens also have the right to access any personally identifiable data a company holds and to request the deletion of any such data. Businesses are expected to provide accessible interfaces for users to make requests for data access and deletion.
Furthermore, all businesses that handle identifiable data of EU citizens are required to inform customers of data breaches involving their personal data within 72 hours. Regulatory authorities in individual EU nations will be given powers to perform on-site audits and to warn, reprimand, and issue remediation instructions to businesses found to be non-compliant.