A five-minute glance at how the EU’s incoming GDPR will affect the Domain Industry
The General Data Protection Rule is set to come into effect on May 25, and with it will come far-reaching changes to the way businesses collect, handle and process personal data. The GDPR will replace the Data Protection Directive of 1995. It’s intended to provide uniform protections to individuals living in the EU.
However, you don’t have to be based out of the EU to be affected by the GDPR. Anyone with a European footprint, that is, any business with customers under the jurisdiction of the EU will need to comply lest they face fines or other legal penalties.
This is the third entry in our series on the GDPR. Last week we gave seven tips for web hosts as they prepare for the GDPR. This week we’ll give advice to the Domain Industry.
Important GDPR Terms to Know
As we discussed last week, one of the most important things to do when preparing for the GDPR is “learn the lingo.” Here’s a set of key terms you’ll need to be familiar with as you begin to navigate compliance.
Data Subject – The person to whom the information relates.
Subject Access Request – A written request from an individual requesting action on the data held about them. This can mean notifications about what data is possessed, where it is stored, corrections to that data and also the outright deletion of it.
Personal Data – Any information related to an identifiable person.
Data Processing – Obtaining, recording or holding information, or carrying out any operation on said information.
Data Controller – The entity that determines the purpose for which and the manner in which data is processed.
Data Processor – Any person or entity who processes information on behalf of a data controller.
What are some of the biggest changes?
To make this easier to digest we’ll just break this down into a bulleted list.
- The GDPR applies to anyone that provides services to, markets to or collects data from EU citizens, regardless of where your organization is based out of.
- Consent for the storage and use of information must now be freely given, it must be specific and informed and it must be unambiguous.
- EU Citizens have the right “to be forgotten,” meaning that they can demand their information be deleted at any time.
- All Data Protection Agencies can enforce the GDPR regardless of where a business is based.
- Fines can be up to 20 million € or 4% of the annual global group turnover.
- In the event of a breach or a leak, companies must inform the relevant Data Protection Agency immediately.
- Liability is extended to both data controller AND data processor.
How Data Flows in the Domain Industry
How the GDPR Affects: Domain Name Registries
Domain Name Registries will need to consider all of the following, for starters data transfers to Data Escrow Agents, EBERO, ICANN and Registry Service Providers will need to comply with the GDPR. Additionally, the data you publish on Whois will need to be reduced to just what is necessary. And a lawful basis for processing this information will need to be established. The lawful bases covered by the GDPR are: consent, performance of a contract with the individual, a legal obligation, vital interests, interest of the public, your legitimate interests.
Note: Because registries collect the data from Registrars, they cannot rely on consent to process data.
- A Registry is a Data Controller.
- Information collected in the first instance needs to be reduced to just what is necessary for registration of the domain name.
- Zone files that can be accessed sometimes contain personal data.
- Registries will have to process data subject access requests.
How the GDPR Affects: Domain Name Registrars
Domain Name Registrars will need to consider all of the following, for starters data transfers to Data Escrow Agents, Registry Operators and ICANN will need to comply with the GDPR. And as with Registries, the information you publish on Whois will need to be minimized to only what is required. Likewise the information you collect as a Registrar. All information must also be kept up to date. As for establishing a lawful basis for processing the information, while registrars collect data from the registrants (data subjects) and could rely on consent to process the registrant’s data, citing the performance of a contract would be a better decision.
- A Registrar is a Data Controller.
- Registrars will have to process data subject access requests.
Data Subjects Have the Following Rights
Data Subjects have the right to:
- Ask a company what information it holds about them, as well as why.
- Ask to gain access to their own information.
- Requests that the information be changed or updated.
- Object to or limit the processing of data.
- Receive information about how your organization is meeting its data protection obligations.
- Be informed in the event of a breach.
- Have their information deleted (under specific circumstances)
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach