Support » Fixing WordPress » GDPR and WordPress: what are the implications for data collected by the host?

  • I had another GDPR moment, just when I though I was getting on top of things with the Privacy Policy, cookie audits, etc.: What about the site-related data held by the host (assuming you are not self-hosted)? I have IP addresses in the server logs, and IPs + browser details logged in cPanel’s AvStats. Plus, all emails are stored on the same server. My host is working pushing some information out on this, but can I assume that as the website owner I am ultimately responsible for this data, as I have entered into a contract with my host? Obviously the world is not n=going to stop come 25 May, but have I overlooked something here, or is everyone pretty much in the same position right now?

    • This topic was modified 2 years, 5 months ago by barnez. Reason: Added that email archives are also a factor
Viewing 4 replies - 1 through 4 (of 4 total)
  • I would say everyone is in the same position. You’ll never have full control over server logs, IP addressess, … For instance: how will you ever be possible to control all the servers between the visitor and your website; routing is not always using the same servers.
    As a small user of the internet, I wouldn’t worry to much about that GDPR.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    IANAL, Controlling your website doesn’t necessarily mean it is your responsibility. GDPR is for ‘data processors’ and ‘data controllers’ – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

    So as websites owners we are responsible for the data that we directly collect through WordPress/themes/plugins, or consent for collection through third parties (analytics), but at the level of the web host they then become responsible for the data that they collect (IP addresses), or consent for collection through the apps/modules they include in their hosting plans, from the websites that they host.

    @barnez, that would only be fair as the end user of a wordpress install (no matter who hosts it) has no control over what data is collected and how by:
    1) the hosting server (being IPs, Metrics, etc.)
    2) the installed script (in this case WordPress)
    3) the additional services provided by the WordPress platform (such as JetPack)
    4) the 3rd party free or paid plugins
    5) the 3rd party active theme

    If the site owner was to develop a plugin or theme which performed data collection and installed it on their site, then I’d say sure! He must be the one responsible for complying with the GDPR… but short of that offloading responsibility on site owners when they use free or paid services to publish content is a nonsense equal to considering a hosting platform responsible for the content being published by a site owner.

    Compliance is a burden on the entity providing the product and/or service.

    It’s no different to the compliance which vehicle manufacturers needs to meet in order to bring a vehicle to market. It’s not the customer who must ensure compliance just because they purchased a vehicle and saying otherwise would be plain silly. It’d be at least as silly as holding responsible a vehicle manufacturer in the event a customer who purchased their vehicle broke one or multiple laws while operating or owning said vehicle.

    What is most unfortunate and is creating more doubts and headaches than necessary is that the lawmaker who came up with the GDPR didn’t spell this out in clear terms as they were most certainly thinking to large corporations and companies who collect data, not the small business owners with a web presence, the hobbyist or soccer mom running a web blog and interacting with others via comment threads.

    • This reply was modified 2 years, 5 months ago by freakqnc.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘GDPR and WordPress: what are the implications for data collected by the host?’ is closed to new replies.