TL; DR: OVH has long been a leader in the hosting space — boasting more than 300,000 servers operating across 27 datacenters worldwide. And, while some in the European market have had to scramble to prepare for the May 2018 GDPR deadline, OVH has always placed a priority on keeping its customers’ data safe. We recently sat down with OVH Data Protection Officer Florent Gastaud, who gave us the scoop on what GDPR means for hosts and site owners, and how the company plans to continue delivering high-quality cloud solutions coupled with industry-leading data protection.
News of privacy infringements by data-mining schemes is front-page fodder much too often these days. Concerns over data breaches and the sale of personal information have led many internet users to install ad blockers and employ more secure web browsers. But European lawmakers have decided that regulation is a better alternative than placing data-protection responsibilities in the hands of consumers alone. In response to the rising controversy over identity theft and the data-for-sale industry, the General Data Protection Regulation (GDPR) was adopted by the EU in 2016, giving member states a two-year grace period to ensure compliance.
Similar to HIPAA and other consumer information safeguards, GDPR was created as a set of legislative guidelines businesses must follow to ensure the security of customer data. The EU previously adopted the European Data Protection Directive in the mid-1990s. Although this provided sufficient protections during the web’s infancy, the directive eventually needed to be reformed to maintain pace with evolving technologies. Following an official statement by the European Data Protection Supervisor in 2011, several proposals were made and reviewed by the Article 29 Working Party and the European Commission. Eventually, a fully-formed GDPR was proposed to the European Parliament, which voted overwhelmingly in favor of the new regulation in 2014.
The May 2018 GDPR compliance deadline has been heavily discussed in the tech world, with site owners strongly encouraged to purchase SSL certificates and similar security measures. Websites that fail to comply by the deadline will be flagged as unsafe by web browsers. The GDPR grants data protection to all EU citizens, but the legislation doesn’t just affect European companies — the regulation is set to have a sweeping impact on the web’s global business community. And nowhere has a pre-emptive focus on data security and customer education been more important than in the hosting industry.
Representing a large portion of the UK’s hosting market, OVH is responsible for helping over 1 million customers meet the GDPR deadline.
“As a European actor, OVH has always grown with a constant concern for the data protection of its customers,” said OVH Data Protection Officer Florent Gastaud. “OVH, like some European players, is already prepared for the GDPR’s main principles.”
In addition to appointing Florent as Data Protection Officer, OVH has taken a privacy-by-design approach that uses both physical and logical security measures for the mass of data stored and processed on its servers.
Over the years, modern businesses have become custodians of increasingly large pools of consumer data. This is especially true in the retail, healthcare, and financial sectors, where sensitive information is stored for millions of individuals. In light of 2017’s rash of security breaches targeting data-heavy organizations, such as Equifax, GDPR is a welcome change to the way data is handled.
In the EU, GDPR is expected to dramatically decrease the frequency of these breaches as site owners implement better security practices, including updating or acquiring SSL certificates. With SSL (256-bit) encryption, even stolen data cannot be deciphered by hackers. Because many webmasters aren’t intimately familiar with the latest security measures, OVH’s compliance plan seeks to streamline the transition by providing free SSL, detailed security documentation, and risk assessment tools.
“The GDPR is the evolution of data protection regulations in Europe,” Florent said. “The GDPR brings new obligations and responsibilities, some of which still raise questions regarding their interpretation. Meanwhile, we need to integrate these new elements in our internal process according to our own interpretation.”
Although GDPR was created mainly with end users in mind, businesses also benefit from maintaining compliance and transparency. Companies that respect and protect user privacy are seen as more trustworthy and ethical, leading to increased reputation and sales.
In recent years, the cloud has become an increasingly popular venue for business operations due to its convenience and security. With data stored off-site — and only accessible via strict authentication methods — the cloud is a welcome addition to the hosting services offered by OVH. The company’s private cloud VPS features security and compliance measures for ISO, CSA STAR, and GDPR built into its core.
“We provide technical documentation on our security measures, and we offer our customers a Data Processing Agreement,’’ Florent said. “We are also developing a tool that will help them select the best OVH product based on the risk of their personal data processing procedures.”
Additional cloud solutions from OVH include VMWare-based hybrid clouds and remote virtual desktops, as well as network management services that include load balancing, advanced firewalls, and anti-DDoS protection. Using hybrid and virtual desktop solutions, businesses can access data and applications securely from multiple devices while OVH personally handles the processing.
“When you select an OVH service in Europe, your data does not leave the EU or adequacy countries,” Florent said. Data adequacy is a status granted by the European Commission to non-European Economic Area countries that provide a level of personal data protection equivalent to that provided in European law. “Your data is never processed in the US. We also manage and maintain our own servers, racks, and datacenters, so your data will not be outsourced.”
As a long-standing leader in the UK hosting space, OVH is no stranger to the EU’s strict data protection standards.
“Being a European actor, OVH has always grown in a regulated environment — security and data protection is one of our constant concerns,” Florent said. “This is not something we discovered with the GDPR.”
OVH has applied data protection standards to its entire portfolio, from its cloud products and dedicated servers to its Digital Launchpad and other services. Aimed at helping startups achieve success, OVH Digital Launchpad has helped bring many useful security products to market, including Leakwatch’s monitoring services. Regarding its own hosting services, OVH has reformed its approach on numerous occasions to help clients better comply with regulations.
OVH has implemented a number of physical security measures for its PaaS and SaaS offerings, including appointing security guards and enforcing strict access limitations on even fully authorized personnel.
“Some of our PaaS and SaaS products have or will evolve to propose, by design, services that permit our customers to respect their own data protection obligations,” Florent said.
Aside from physical restrictions to data access, OVH uses a specialized password management system and two-factor authentication measures from YubiKey. Additionally, every data interaction is traced and compiled in reports in accordance with GDPR’s new regulations.
The GDPR is a step forward in protecting individual privacy and preventing fraud. With additional guidelines for data-sensitive industries, such as healthcare and finance, the GDPR was created to assuage public fears regarding security breaches and identity theft.
While the GDPR has challenged many businesses to rethink their strategies, the final outcome is peace of mind for all parties — data loss risks are significantly reduced while returns on investments ultimately increase. Consumers, in turn, develop a more positive view of these proactive organizations.
“We believe that GDPR will bring more trust between citizens and companies who process their data,” Florent said. “We therefore welcome the GDPR.”