Tag Archives: GDPR

Here’s how we got ready for GDPR

Web Security Updates

RapidSSLonline.com has made a number of changes to prepare for GDPR

GDPR is important and we took it very seriously. Here’s a quick look at the steps we took to ensure that we’re GDPR compliant both for us and our partners.

We redid our Privacy Policy

We’ve simplified our privacy policy. It was already available in the footer of every page of our website, but we now link to it from our privacy notifications, to

We added a ton of privacy notifications

At any point where we are collecting your data, we will now notify you about what it’s going to be used for. Trust me, for a site like ours that involved writing a lot of notifications, but we now notify you about pretty much every action we take.

We refined our security practices

We didn’t have too much to do in this department, after all we’re a cybsercurity company. We already use the requisite safeguards like firewalls and encryption. We also appointed a Data Protection Officer, Robert Walters-Thorn, to oversee our data policy

We got Privacy Shield Certified

That’s right, you can look us up on the Privacy Shield roll under Rapid Web Services, LLC. Additionally, if you ever have an issue exercising your data rights with us, you can contact the ICDR-AAA, who we use as an independent recourse mechanism for disputes.

We signed DPAs with all our partners

We made sure to contact all of our partners, anyone we share any data with, and get a legally binding Data Protection Addendum with them. This ensures that any data shared will only be used for the intended purposes and also governs what safeguards must be in place.

We recognize your right to be forgotten

We recognize your data rights, as defined by the EU, at RapidSSLonline.com. For the most part, you can access any data we have saved on you in your user control panel after logging in. It can be modified from there. Alternatively, you can email our Data Protection Officer to get a copy of your data. You may also choose to delete all of your data by sending an email to the DPO, we will delete it within 72 hours.

The only data we may not be able to delete is any data published in certificate transparency logs following issuance of an SSL certificate. While we don’t anticipate this being a major issue, it’s worth putting out there that we do not operate a CT log, nor do we publish to any directly. So we can’t really help with that.

Overall though, we want you to feel comfortable doing business with us. We’re just out here trying to help businesses and site owners find affordable SSL certificates—we really don’t have anything to hide.

Stay cautious, my friends.

GDPR: 5 things US businesses need to do before May 25

SSL Certificate

The General Data Protection Regulation requires your action

The European Union’s new fangled General Data Protection Regulation (GDPR) becomes enforceable on May 25th. It’s a well-intentioned document, but like anything else that is written by politicians at a big government level—it’s fairly ham-fisted in many areas.

Part of the problem is that it requires you to have a knowledge of previous European legal frameworks like the ePrivacy directive, in addition to knowing some European case law. For American businesses navigating this can be tricky. Especially when you factor in that European legalese is much different than the legal writing in this country. It’s written like you need to be wearing a powdered wig to make complete sense of it. It can all be a bit jarring. It can also be lethal if you’re a small company and you run afoul of the GDPR.

Penalties for violations start at 10-million euros or 2% of your total revenue—whatever’s bigger. More egregious issues will be met with fines of 20-million euros or 4% of total revenue.

If Facebook had its Cambridge Analytica after May 25th, in Europe, it would be looking at a fine worth more than 7 billion dollars.

Those are pretty high stakes. And as you’re about to find out, compliance with the GDPR isn’t just an issue for European businesses. US businesses might be in for some trouble, too.

Here are five things US businesses need to do before May 25.

1 – Figure out whether you need to be GDPR compliant

This sounds dumb, but it’s really not. In my experience, one of the biggest reasons for non-compliance is simple ignorance. The violations occurred because the party in question had no idea they needed to comply with something in the first place. This is especially true for smaller businesses, which is made even more dangerous by the penalties that can be levied. For small businesses, the GDPR can present existential crises. One fine and you’re down for the count.

The misnomer is that only businesses in Europe need to comply with the GDPR. That is patently false. Someone said that to me the other day, actually. “But Carl, we don’t need to do anything for GDPR because we’re not in Europe. I learned real close to him, maybe an inch from his face and snarled at him, “I’ll get you. And it will look like an accident.”

Anyway, if you do any business in Europe, you need to be GDPR compliant. Now, what might you ask does, “doing business” entail? That’s a question that’s still being debated. It’s written a bit vaguely. But for our purposes, if you market products in Europe, accept European currencies or have any sort of physical presence in the European Economic Area, you are doing business in Europe.

Now, if you’re a dentist in Memphis or you run a company that rents out those inflatable bouncy houses in the suburbs of Toledo you probably don’t need to be GDPR compliant. But if your company or organization make any attempt to market or sell in the EEA, you need to comply.

2 – Know your role

Once you’ve decided whether or not you need to comply with the GDPR (and assuming you do, as you probably would’ve stopped reading by now otherwise) it’s time to figure out the role you’re serving in the data ecosystem. There are three basic roles:

  • Data Subject – The individual who’s data is being collected
  • Data Processor – The party that is processing data on behalf of someone else
  • Data Controller – The party that controls the personal data and determines what it’s processed for

Now, there’s a very simple litmus test for whether you’re a processor or a controller: do you store the information on your servers? If you do, you’re a controller. If you just process what someone else sends you and store nothing, then you’re a processor. Remember controllers can process. But processors don’t control.

It’s extremely important that you figure out your role. And that you’re correct about it, too. You don’t want to find out the hard way that you’ve been mischaracterizing yourself. There’s nothing worse than getting knee-capped because you complied with the wrong set of rules.

3 – Map everything

This is actually a lot easier than it sounds… for most people. If your web presence is a hydra with various public-facing domains and massive digital infrastructure, this could be a challenge. But you should have the resources.

SMBs should have no problem though. Here’s how you do it:

  1. Crawl your website looking for every single touchpoint that collects personal data.
  2. Identify what information is being collected at those touchpoints
  3. Identify what the information you’re collecting is being used for in each instance
  4. Figure out where you’re storing this information
  5. Figure out what a customer would need to do to modify or delete it

Now, and here’s the most important part, write that stuff down. Document everything. It’s crucial that you know exactly what is being collected and where. As well as why. This is also a good time to identify any superfluous data that you’re collecting and stop. Because the GDPR is pretty clear about only taking what is needed, and not hanging on to it for too long afterward. I realize that sounds like something Pocahontas would have said to John Smith but it’s still good advice.

4 – Figure out your Legal Bases for processing

There are six justifiable legal bases for processing information under the GDPR, though it’s clear from a lot of the guidance and from the document itself that the GDPR favors consent over the other five. The conditions for obtaining consent are rigidly defined and extremely, well, rigid. Consent must be freely given, the data subject must be well-informed and given an obvious choice to opt out. You can’t opt someone in by having a box checked by default. And for emails, you need a double opt-in. Additionally, the data subject maintains certain rights over the information when consent is used as the legal basis for processing. Consent also expires. The GDPR isn’t explicit about its shelf life, but you’re ideally supposed to re-engage and re-permission at regular intervals.

That makes marketers sad.

Fortunately, there are ways to get around using consent as your legal basis. For instance, if you’re running an e-commerce website, you can claim legitimate interests as your basis for processing some data, specifically for the purposes of cart abandonment and email marketing. Additionally, many organizations are processing information as part of the terms of a contract. That’s a justifiable legal basis, too. Before you charge headfirst into using consent as your legal basis, explore the other five to see if one of those might work better.

5 – Get EU-US Privacy Shield certified

The GDPR bans cross-border data transfers except into jurisdictions that provide “adequate” data protection. In this case, we’re not referring to technical safeguards, but rather legal ones. Unfortunately, the United States has not been deemed adequate.

So instead, what you’ll need to do is get EU-US Privacy Shield certified. Basically, you need to perform a self-assessment similar to the one we discussed earlier. You need to lay out what data you’re collecting and what you’re doing with it, then you need to agree to follow the principles laid forth in the EU-US Privacy Shield framework. Finally, you’ll have to get a corporate officer to sign it, pay some fees (depending on your size and revenue, upwards of several thousand dollars) and submit your self-certification to the Department of Commerce. You have to re-certify every year, too, and once you commit to the Privacy Shield policy, the FTC or the Department of Transportation, whoever oversees you, can legally fine and penalize you for non-compliance.

If you think #5 sucks, you’re not alone. And while I like to avoid politics like the plague, this is all Donald Trump’s fault. That’s not hyperbole, it’s a factual statement. You see it was President Trump, who ran on an anti-immigration platform, that signed an executive order his first week in office that tried to crack down on Sanctuary Cities. Keep in mind, this executive order was meant to target Hispanics (and probably Muslims, too). It included a line that said:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Basically, that meant that the digital privacy rights afforded to American citizens do not extend to non-citizens. Foreigners have no right to digital privacy in the US. As the European Commission was quick to point out, a point which the Trump administration clearly missed, that this executive order also strips digital privacy rights from Europeans. Thus the US does not afford “adequate” data protection for EU companies to comfortably transfer data into its borders. Congress has attempted to rectify this situation by passing the US Judicial Redress Act, which once against extends the benefits of the US Privacy Act to Europeans. That’s kind of racist when you think about it, but let’s not. Instead, just remember who to thank when you have to pony up a few grand each year just so you can continue business as usual with your European partners.

I hope this helps you out, and as always leave any comments or questions below.

Stay cautious, my friends