What is GDPR Compliance?

The General Data Protection Regulation (GDPR) sets out to create new rules for how all European residents’ data must be handled. GDPR replaces the previous 1995 EU Data Protection Directive.

GDPR came into effect on May 25th, 2018. This data regulation strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed.

Who does GDPR apply to?

GDPR compliance isn’t just for European companies. GDPR applies to businesses of all sizes, no matter where you or your company is based. Yes, this also includes any Reseller users who are hosting European customers.

If you offer products and services to customers located within Europe, GDPR applies to you.

What are examples of data that fall under GDPR?

Data by the GDPR definition follows as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Examples of this type of data includes:

• name and/or surname;
• home address;
• email address;
• Internet Protocol (IP) address;
• phone number;
• past or present data of an individual;
• political affiliation;
• health data (previous surgery history, as an example);
• sexual orientation.

This data must be protected whether you share this information digitally, in written form, or if you speak to another individual with access to the data.

Who is responsible for this data?

You are. If you’re an enterprise business, an online newsletter, or a brick-and-mortar shop, you’re responsible. If you are a corporate officer or run administrative tasks, you’re responsible. Everyone in the organization is responsible for maintaining this standard to ensure there are no potential breaches or compliance failures.

More importantly, you’ll play a role in the organization/business being responsible if the organization fails to meet the GDPR standard.

What type of fine can be faced if you’re found non-compliant?

There are two tiers of fines that can be levied as penalties:

• Up to €10 million, or 2% of annual global turnover – whichever is greater;
• Up to €20 million, or 4% of annual global turnover – whichever is greater.

What kind of requirements exist to meet compliance?

There are many requirements in place to ensure you are following the new standard accurately.

We’ve documented a couple of steps that you can take to get started with GDPR compliance. This list should not be considered comprehensive and we recommend consulting with a legal team for your organization’s needs if you’re uncertain of the scope.

• Analyze and understand the legal framework for GDPR.
• Review your vendors, existing infrastructure, and any third-party applications you may use in order to familiarize yourself with the way that data flows within your business.
• Identify what types of personal data you process and understand who has access to it.
• Implement a plan for how you will modify, delete, and provide personal data upon request.
• Ensure that you obtain and record explicit consent for the collection and use of personal data. Pre-checked boxes and default acceptance of policies are not permitted within the GDPR.
• Designate an official data protection officer (DPO). This is required for some organizations, but optional for others.
• Provide evidence that your organization complies with the GDPR through documentation, which means writing down your procedures for handling personal data.
• Ensure that your data processing has a lawful basis and keep a record of it on hand.
• Review and update your site’s privacy policy to include detailed information on your data collection, use, and privacy practices.

What is Sucuri’s role with GDPR compliance?

Our globally distributed team has worked carefully to ensure that Sucuri’s products and services meet the requirements set forth by these new regulations. Measures we’ve taken to accomplish this include:

• Upgrades to our products and workflows to support data management.
• Updates to our contractual terms and services.
• Reviews of our existing processes in order to meet and exceed GDPR requirements.

Sucuri has always taken privacy very seriously. At the core of our privacy and security policy, we believe that data which does not exist cannot be tracked, stolen, or compromised.

We personally collect only the data necessary for business and security purposes, which already puts us ahead of GDPR guidelines, by storing the minimum amount of Personally Identifiable Information (PII) in our proprietary systems and cache.

Is the Sucuri Plugin GDPR compliant?

By generating an API key in the plugin, Sucuri collects and stores the email address you provide, as well as a copy of the audit logs generated by the server. This data is stored on Sucuri’s servers, and you may retrieve the audit logs using the same email address at any time.

If you purchase other services from Sucuri, then more data will be stored. Our Terms of Service and Privacy Policy have more details about what is stored and how to exercise your privacy rights. For those who require one, we also have our Data Privacy Addendum available.

Please email GDPR@sucuri.net if you have any further questions about how Sucuri handles Personally Identifiable Information (PII).