PCGuys & GDPR Frequently Asked Questions
Issued May 2018
This FAQ and answer document aims to help resellers and customers of PCGuys and CIX on matters relating to GDPR. It does not go into specifics of how GDPR works in relation to your own circumstances, instead it aims to provide answers to questions we're frequently asked about hosting data via web and email services on our servers in relation to GDPR.
Towards the end of this document are some questions and answers in relation to PCGuys's own compliance.
1. What is GDPR?
GDPR stands for General Data Protection Regulation and becomes enforceable on 25th May 2018.
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The UK is adopting it post Brexit and is being managed by the ICO.
2. ICO?
The Information Commissioner's Office. Full details start at www.ico.org.uk. It has a whole section regarding GDPR and we would strongly recommend you read through it all to ensure compliance, which can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/. You may also need to check if you need to be registered with the ICO.
3. Is PCGuys registered with the ICO?
Yes, please see https://ico.org.uk/ESDWebPages/Entry/Z1830512 for more information.
4. Will PCGuys be GDPR compliant on 25/05/2018?
We have taken legal advice and reviewed our internal procedures, terms and privacy notices and believe we're GDPR compliant on 25/05/2018.
5. Where are your privacy statements?
They can found here:
https://cdn.interdns.co.uk/downloads/terms/PCGuys%20Privacy%20Statement.pdf
It may answer many questions on what we do with data, how we handle it and how it's used, and your rights as an individual.
6. As a reseller / customer of PCGuys, do I need to become GDPR compliant?
If you're a business or individual handling other people's data in any shape or form for any purpose, even if it's not for the purpose of selling services, including non-textual data, you need to ensure you are compliant with GDPR.
7. How do I become compliant?
In the first instance, you should check with the ICO on what you need to put in place to become compliant. We're unable to offer specific advice as each company is different on how it receives data what it does with it.
8. If PCGuys is compliant, does that make me automatically compliant if I just use PCGuys as my sole supplier?
No. You need to ensure your own procedures on data handling of your customers and how you work with such data is compliant with GDPR.
9. Can you tell me if my web site hosted on PCGuys's servers is GDPR compliant?
We're unable to check a web site to see if it's compliant, but if it is collecting personal data in any shape or form, including tracking of the visitor's IP address and user details, you should issue a privacy document on what you do with the data, why you collect it and the rights of the person providing it. That is essentially what GDPR is about – what data is used for and what you do with it. However, for exact clarity, it is worth speaking to the ICO on the exact requirements on what is needed for your organisation.
10. My web site uses a database hosted on your servers, is it automatically compliant because PCGuys is?
We're unable to say whether the data you're holding and the reason you're holding it and what you do with it on our servers is or isn't GDPR compliant, this is something you should check with the ICO or seek further legal advice.
11. If someone hosts a site on your server that isn't compliant, does it affect my own compliance?
If you are not sending data to that site, we are not aware this affects compliance on other sites on the shared hosting platform.
12. If a site on PCGuys's server gets hacked but belongs to another reseller, does it affect my own compliance?
If you are not sending data to that site, we are not aware this affects compliance on other sites on the shared hosting platform.
13. Can I store credit card or banking details on the shared hosting server?
This is something you should discuss with your merchant provider. However, at the very least, we would recommend if you are storing this type of information to have the details fully encrypted. PCGuys is not responsible for any losses or damage that may occur should such data be subject to a breach or hack.
14. Do I need to encrypt the data on my web site?
If you're handling sensitive data, then we would recommend encrypting it in some form, the level of which is something you need to decide upon yourself and work with your developer to implement. We cannot say whether the data you're housing needs to be encrypted. PCGuys does not automatically encrypt data on its hard disks relating to the shared hosting platform.
15. Do I need to encrypt emails if it's handling sensitive data? How do I do that on PCGuys's servers?
Again, if you're sending sensitive information, then you should seek legal advice on whether encryption in some form is needed ensuring both the sender and receiver has the right security measures in place to protect the content being transmitted.
PCGuys does not provide an encryption service; in the sense we do not encrypt emails relayed through our servers and unable to do so. This is something that needs to be engineered by the code / program / client sending the email and the decryption performed by the client receiving the email.
16. Doesn't STARTTLS encrypt my emails? What about email storage? Do I need to ensure STARTTLS is enabled on my email platform?
We would recommend enabling STARTTLS on your mail client for sending and receiving email through us as this secures the transmission of any authentication details and data sent to our servers for the protection of your mailbox. It will also ensure the mail sent to our server and received directly from us is encrypted.
However, email on our servers are not stored encrypted by us, and any email relayed on to a third party will be sent via regular SMTP on port 25.
In addition, once the mail is downloaded to your own client, you need to ensure that any sensitive information held is in line with GDPR compliance.
This is why it's very important to ensure you have a very strong password set on your mailbox and the FTP area of your web site.
17. Do I need an SSL (https://) certificate for my web site?
SSL encrypts the data sent between the client / user and the server, effectively the transmission of the data; it doesn't mean once the data is on our server it remains encrypted. If you are collecting sensitive data, you should ensure SSL is installed on your site so the risk of the data being "sniffed" is reduced accordingly.
18. Where does PCGuys host data?
PCGuys hosts all data in UK London data centres.
19. Who has access to my or my clients' data stored in the Control Panel?
Only authorised personnel have access to data under strict permissions. Staff are not permitted to take unauthorised data outside of company premises.
20. What happens if my site gets hacked? Is that my fault or yours? And do I need to tell anyone?
Hacks do happen, especially with off the shelf packages such as WordPress which are commonly targeted by hackers. In all instances so far, hacks to web sites of this nature have been through add-ons and themes that have a vulnerability that haven't been patched. We strongly recommend regular checks on your code and procedures to ensure your site is up to date with the latest versions.
If the site is hacked in this way, it is your responsibility to resolve it. If you are handling personal data and suspect the data may have been leaked, you should seek advice from the ICO on whether the users affected need to be notified.
21. If I'm just selling broadband and telecoms, do I still need to worry about GDPR?
Regardless of the product and services you are offering, if you're handling personal data in any shape or form, then you need to ensure you are GDPR compliant.
22. If I resell PCGuys for broadband and that broadband is placed with TalkTalk or BT, do I need to check their GDPR compliance and do I need to tell my customer they may have their data?
In our privacy document, we list the suppliers that we use for web hosting, domain name registration and connectivity services where we share personal data and why, including payment information, so there is complete transparency on how data is received and why it is provided to third parties. This is generally on the basis that Openreach, for example, need to know your client's name and address to provide a service; Nominet need to know who to register a domain name to and so forth.
We would recommend you should do the same, but ultimately it is something you should check with the ICO on whether you need to.
23. How do you store my data?
Data is stored in SQL databases hosted on multiple servers with limited and tightly controlled access. We do not encrypt all data we hold, but we do ensure sensitive information such as any banking details and passwords are not stored in their original plain text format.
24. If I run a basic web site with a database attached with a login area, or send emails to friends or members of say, a small society, do I need to encrypt the data to ensure it is GDPR compliant?
If it is handling sensitive or personal data, it would be wise to run through a GDPR compliance check to see what steps you need to take to ensure you're compliant. You can do this from the ICO's web site at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
25. Are server logs used for any purpose other than security e.g. are server logs analysed by the hosting provider for statistical purposes, such as measuring websites traffic?
They are only used for the purpose of security and measuring a site's traffic by us. However, how you use them and whether that is GDPR compliant is something you should check with the ICO.
26. How long are server logs stored for?
We store control panel, system and server logs indefinitely, for the purpose of security and auditing, put simply on the grounds of who did what where and when. Although we reserve the right to remove them if we deem they are no longer required. On the shared platform, we keep graphical statistics alive for the duration the hosting plan is active and raw log files are kept no more than 14 days.
27. How long are backups stored for sites and email?
If a hosting plan is with us, then we keep a non-guaranteed back up of that site indefinitely. If the plan is removed, we aim to remove any email, web or database data uploaded to us within 7 days.
28. Do I need to tell my customers that I submit their data to PCGuys for orders such as broadband, telecoms and domain names?
We would recommend in your own privacy policy that you mention the suppliers you share data with and a link to our/their privacy policy.
However, we understand as a reseller, you would like to keep PCGuys out of the loop, but as PCGuys operates as a wholesale provider, we aim not to appeal to direct customers. How you word this, though, is something you may wish to check with the ICO directly.
29. What happens if a customer cancels their account? Do I need to remove all their data from your system?
This goes back to basics on why you're holding that data. If you are holding it for the purpose of consent or marketing or that you may want to send them a sales related email in the future, you need to ensure you have their continued consent to do so. If they ask you to remove it and you have no legitimate, legal or contractual reason to keep it on our servers, then you should remove it. However, for clarity on how long you should hold data and whether it needs to be removed or can be kept, you should seek further advice from the ICO.
30. If I cancel my account, does PCGuys retain my details and those of my customers I have set up?
Please refer to our privacy policy on how long we retain data for. We do not generally remove your data for the purposes of accounting and billing, but if we have no reason to hold a data record on an individual and we're asked to remove it, we will certainly comply accordingly.
31. What is a 'data processing' document, and do I need one?
Put simply, it outlines how you process data, the reasons why you process it and with whom. You should check with the ICO on whether you need a data processing agreement.
32. Does PCGuys have a processing document?
Yes, a schedule is attached to our Master Terms and Conditions which can be found at:
https://cdn.interdns.co.uk/downloads/reseller_terms/PCGuys%20Master%20Service%20Agreement%20for%20Resellers.pdf
33. What data centre and server security policies are in place?
PCGuys ensures all servers hosting personal data is kept up to date with the latest security patches and updates.
All shared hosted servers are checked and audited on a regular basis for security updates and we regularly review our systems and applications are secure.
In terms of data centre security, only authorised personnel have access to the physical machines and the data stored on them, and no unauthorised data is permitted to leave these environments. This is in addition to security measures the data centres employ in terms of access and monitoring.
34. Are PCGuys's shared and dedicated servers behind hardware firewalls?
The datacentres we use have routers which employ traffic protection against denial of service attacks at mass network level, but beyond that, there are no hardware firewalls in place.
On our own shared platform and internal servers, we ensure only those ports required for the purposes intended are open.
Frequently Asked Questions on PCGuys's Own Compliance
i) Is PCGuys aware of the changes to data protection law under GDPR and how it will impact the business?
Yes, PCGuys recently spent a considerable amount of time and resource with legal experts in order to ensure compliance, including a review of its privacy policies and how data is used.
ii) Has PCGuys undertaken formal gap analysis / an information audit against the requirements under GDPR?
Yes.
iii) Have you initiated a project to achieve GDPR compliance?
Yes.
iv) Does PCGuys expect to be compliant with GDPR by 25 May 2018?
Yes.
v) Has PCGuys appointed / will you appoint a Data Protection Officer?
Yes.
vi) Does PCGuys have a training program in place to ensure all relevant staff are aware of GDPR requirements prior to 25 May 2018?
Yes, all staff are trained in relation to how data is handled and the rules around GDPR to ensure compliance, with regular reviews on internal processes.
vii) Has PCGuys created a record of your processing of personal data? (also known as data mapping / audit)
Yes. With the exception of data sent to us via email, all personal data is inputted by reseller and/or their customer via the Control Panel interface and used in accordance with our privacy policy.
viii) Please detail the personal data that PCGuys's services or products collects, stores, processes or has access to?
We collect data as inputted into our Control Panel and/or web site, as described on the web forms presented. Please see our privacy policy for more information. Only authorised personnel have access to this data.
ix) Does PCGuys transfer personal data outside of the EU?
Only for domain names registered with ICANN.
x) If so, what steps has PCGuys taken to ensure GDPR compliance?
Please see https://www.icann.org/news/announcement-2018-03-28-en for more information.
xi) Do you have a documented process for storing data and retaining it in line with GDPR requirements?
Yes, please see our privacy policy.
xii) Has your organisation considered the GDPR Data Minimisation principle and reflected this in their relevant data retention policies?
Yes.
xiii) Does PCGuys encrypt personal data when you transfer it to third parties? Please describe how data that is transmitted is protected.
We aim to ensure that when data is sent to a third-party supplier, it is sent securely, either via encryption or via SSL.
xiv) Has PCGuys documented its data breach notification procedures to meet GDPR requirements, and have all relevant staff been given adequate training in this?
Yes.
xv) Have you had any data breaches or large-scale data losses in the last 12 months?
We are not aware of any data breaches or large-scale data losses in the last 12 months.
xvi) More questions?
If you have further questions about PCGuys's GDPR compliance, you should email support@pcguystelecom.com. If you have further queries about GDPR and your own compliance, then you should seek further advice from the ICO.