General Data Protection Regulation
We are writing you today regarding the new General Data Protection Regulation (GDPR) implemented by the EU. The GDPR has imposed new obligations that may require companies to adjust their policies and procedures for storing and processing personal data of users residing in the EU. While the GDPR will primarily affect web sites specifically built for EU users, these new regulations ultimately impact all companies who operate a web site.
Americaneagle.com recommends that all of its customers seek independent legal advice on the impact of GDPR on their organization as each customer is responsible for their own GDPR compliance.
As your data processor, we'd like to explain how we handle data in our hosting environment and also recommend some things that you, as a Data Controller, may want to consider as you review your own compliance.
As your data processor, Americaneagle.com has implemented the following steps towards meeting its own obligations under the GDPR:
- Americaneagle.com has been a Visa/MasterCard PCI-compliant service provider since 2007 which overlaps with GDPR security requirements.
- Americaneagle.com has created a process for removing data when a customer/prospect requests that their data be forgotten.
- Americaneagle.com has reviewed its incident response policy/process to make sure it meets GDPR compliance requirements
- Americaneagle.com has appointed a Data Protection Officer.
As a data controller, the GDPR makes you responsible for determining how data is collected and used on your site. If you require assistance in this area, Americaneagle.com can provide auditing services to identify the following:
- Entry points on the site where end-user information is collected which may potentially require additional user consent.
- Review usage of cookies on the site.
- Strategic places where you may wish to add a “Right to be Forgotten” form on the web site
- Additional functionality that will make it easier for your admins to locate and remove end-user data within your admin section/content management system (CMS).
- Review storage of personal data and possible encryption of that data. Encryption of personal information is not required for GDPR compliance, but it is one of the best protections against minimizing the damage if a security breach were to happen on your site.
- Please note, this may include a review of more than just your website such as any 3rd party tools that record analytical data including but not limited to; user analytics, page views, interactions, member or form data, user recordings, etc.
While there are some steps that companies should take now as part of an overall GDPR compliance program, there are also several areas within GDPR that are vague and up for interpretation. These challenges are typical any time new regulations are introduced, and we all should expect some changes and adjustments as time goes on and those gray areas clear up. As that happens, Americaneagle.com is prepared to assist customers with their processing needs as the requirements and best practices evolve.
If you have any questions or would like our assistance with GDPR, please call or email your Americaneagle.com Account Manager - or you may email us at: [email protected]