Will Dreamhost be GDPR compliant?


#1

Hi, we’re a potential UK-based customer and we’re wondering if Dreamhost will be GDPR compliant come May 2018?

There’s nothing on their website about it so I’m assuming not.


Is Dreamhost Privacy Shield certified?
#2

This is an individual website thing. Make sure you are GDPR compliant by not collecting/storing private user data.


#3

It’s true that GDPR mostly applies to the individual site, but it also has rules for web hosting:


#4

Consider that DreamHost does not “process” your user data. Every website (and multiple sites per shared space) puts data wherever they see fit. DreamHost doesn’t reach into your databases to see WordPress from Joomla from Drupal, and then process your data differently.

The host also cannot accept responsibility for deleting such information if one of your users requests it.

If you continue to follow that chain then you’ll need to involve the providers of the hard drives and the power company. The responsibility for application data stops with the application. It’s my understanding (no lawer here) that GDPR intends hosted applications to comply with terms, so if you, manager of (say) a forum on some openforums.foo do not remove a user profile, then that host, experts in that forum and managers of the database, accept responsibility. Again, this is at the application/database level.

Anything below that is unreasonable and I don’t believe that law would have made it through if it was That unreasonable.

EDIT: To refine that: It’s my belief and understanding that the regulations apply to those who control the data. DreamHost controls the data for their clients. You control the data for your clients. DreamHost doesn’t access your data, and in fact, their doing so would be a violation of privacy. The legal terms defined by DreamHost indemnify them against our action, inaction, or negligence.


#5

Hello christiaan,

We do plan to complete our GDPR certification in the very near future.

If you have any additional questions let us know!

Thanks,
Mari


#6

Disregard Disregard Disregard Disregard


#7

Okay Mari, thanks for letting me know.


#8

And will that be before May 25th?


#9

Thanks for the info, Mari.

Any news or concrete time frame on this?

Our lawyer gets nervous and we don’t want to change our hosting provider (as we like DreamHost), but we have a deadline here to get things sorted before we have to look for alternatives.


#10

It appears that we do plan to have this completed by the as soon as possible but at this time we do not have an exact ETA.


#11

Well, as far as I understand is the main concern for your european customers that GDPR enforces them to store their databases only at hosting companies that can provide a “sufficient” security level for the stored data. Since it is almost impossible to prove security levels for every single company, european countries generally consider Privacy Shield certified companies acceptable.
Will Dreamhost be Privacy Shield certified?


#12

@Nelex: Also IP addresses are personal data. So it’s not only about databases, also server log files are affected as they include the IP address. As far as I could see in our DreamHost settings, it’s not possible to turn server logs completely off or to anonymize IP addresses in the log files. Even if you don’t save a database, you are also affected by the server logs.

And yes, Pricacy Shield is a must.
We are still waiting to see DreamHost listed at https://www.privacyshield.gov/list
But our countdown is running :frowning:


#13

We’re in the same boat here. The May 25th date is getting very close and if Dreamhost don’t confirm that they have Privacy Shield status in the next week or so, we’re going to have to move all our hosting elsewhere - something we really don’t want to do. Apart from all the work involved, we really like what Dreamhost has to offer and our relationship with them.


#14

RE: Logs. See this article which provides specific text which supports logging for our common purposes. Actual GDPR recital here. We do NOT need to disable logging. That’s freaking ridiculous and not the intent of any of this legislation.

I use IP addresses to blacklist hack attempts. I need to keep those addresses, not others. I don’t want a hacker to sue me to because I kept his personally identifiable information in my system. There is a legitimate purpose for this practice. Therefore I need to get all users to agree to that practice. HOWEVER, if someone is hacking, can they legitimately file suit against me for defending specifically against their efforts? I don’t think so. But I need to prove that the IP in question really did justify defense against it. So I need logs to get that data, and then I need to purge them after I have that info. No logs, no info, no ability to blacklist known offenders.

Note a consistent theme with GDPR is that we’re not being asked not to collect data but to ensure that visitors know that data is being collected. If you use server logs for legitimate purposes, draft up technical, legal, user-readable notes about why, and get your visitors to accept or leave. Otherwise, yes, the servers will store the data but you can purge it frequently via cron.

That is not something that DH will do for you. Do not rely on DH for your indemnification. Their statement to you is about your data. You need to ensure that you know why you have specific information, purge what you don’t need, and get approval with the help of your legal counsel to keep whatever you do need.


#15

We would have no problems to save IP addresses on a server that is placed within the EU, or on a server outside the EU from a company that has Privacy Shield status. But nowhere else!

We have spent many weeks to become GDPR compliant and it’s not my personal opinion or preference that counts. We do what our privacy expert / lawyer recommends, and she knows the GDPR very well.


#16

What does your privacy expert / lawyer say about my last note?


#17

She has not read your post, but this is what I’m pretty sure is correct (I’m not a lawyer, I’m a computer scientist):

Of course you have to delete all your saved personal data yourself, not the hosting provider (DH). Saving IP addresses isn’t a problem in general, also documentation about it is very easy. But what is also important here is where the personal data is stored. Either on a server/company within the EU, or on a server outside the EU from a company with Privacy Shield status.


#18

If Dreamhost stops supplying daily server access logs, I’ll need to move. There’s no way I can operate my site without having unrestricted access to log data.


#19

Just checking in and glad I did. Any status updates for GDPR Compliance?

This article has me wondering…https://www.forbes.com/sites/bernardmarr/2018/05/07/here-are-8-things-every-business-needs-to-do-now-to-get-gdpr-ready/#1a7244af7cf6

EDIT - Scratch that, my company should be good to go either way, at least if I understand the regulation correctly…

https://www.eugdpr.org/


#21

I am currently moving all my 30 or so client websites away from Dreamhost as they have not shown any impetus to meet the GDPR deadline. I have been asking since January and have always had the same vague “Yes we are planning to but cannot advise when” response. I cannot wait until May 25th to find out if they manage it or not.

The EU are quite clear (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en) that having personal data in the US is not permissible under GDPR / Adequacy rulings unless the company is certified under Privacy Shield.

“The European Commission has so far recognised [list of countries] and the US (limited to the Privacy Shield framework) as providing adequate protection.”