Update: March 6, 2018
Previously, we had announced plans to apply GDPR-relatedย requirements and processes only to domains registered by EU-local individuals*. We have since changedย our approach and now plan to extend these heightened privacy and security requirements to all registrants and reseller partners. This streamlined solution ensures that our platform is secure and GDPR-compliant, and recognizes that there are privacy laws worldwide, beyond the GDPR, which must be respected.
โData privacy by design, data privacy by default.โ You may have heard this phrase recently, on Twitter or in blog posts, but where does it come from? What does it really mean? Most importantly, how does it affect your customers and their domain names?
What is the GDPR?
The European Unionโs General Data Protection Regulation (โGDPRโ), coming into effect in May 2018, lays out a new set of rules for how the personal data of people living within the EU (“EU-local individuals”)* should be handled. It sets out the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. The GDPR is complex and far-reaching, and weโll look at a few of the most impactful areas in this blog post. You can also keep an eye out for updates on our dedicated GDPR page.
Data privacy by design, data privacy by default
How many times have you bought a concert ticket online or RSVPโd to an event, only to find your inbox unexpectedly filling up with the concert venueโs newsletters and invitations to other events that are only tangentially related? Wouldnโt it be great if service providers had to get permission to use your contact information for anything other than what youโd provided it for in the first place?
That type of clear, informed consent is one of the basic requirements in the GDPR. Any business taking in your personal data not only has to explain what they need it for, but theyโre also simply not allowed to require you to provide more information than the absolute minimum they need to get the job done. Whatโs more, they canโt use your info for any purpose other than that which you agreed to in the first place. This puts you in charge of how your info is used from the very start — by design and by default — instead of making you unsubscribe after the fact.
Direct mail campaigns arenโt as popular as they used to be, but I still get a few pieces of paper mail each week, and Iโm always both amused and a little scared at how companies Iโve never heard of get my contact information. A friend of mine used to put the name of the service provider in the second line of his address every time he signed up for something new, and he was amazed to find that his credit card and telephone providers shared his info with any number of sales companies.
Online marketers these days use email rather than postal mail, of course, but the underlying issue of your personal data being shared by someone you trusted with it remains, and the GDPR takes aim at this problem as well. Not only should companiesโ use of your data remain within the limits of what you consented to, but the data needs to be stored securely, accessed only for the reasons already agreed upon, and cannot be shared with third parties outside the bounds of this regulation and what you consented to.
Quick, transparent reporting on data security breaches
We all know mistakes happen, and security best practices are constantly evolving. Living in the world means accepting some measure of risk, and it seems that every few days thereโs a news story about a major data breach affecting hundreds of thousands of people — but usually, by the time we hear about it, the breach happened months ago, leaving sensitive information exposed to the world and the affected people unaware. The GDPR addresses this with a timeframe around breach notifications, requiring that people whose information has been compromised are notified as soon as possible. This notice must include an explanation of what happened, whatโs being done to fix it, and what the affected people should do to protect themselves. This type of information empowers each person to respond the way they think is best in each circumstance in order to protect their own privacy.
The right to be forgotten
I once created an account with a subscription box service, the kind that would send me new makeup every month. Only after I signed up did I discover that they were all sold outโฆ I wouldnโt get anything for at least six months, if not longer — I canโt wait that long for a new lipstick! I cancelled the account, but couldnโt get them to stop emailing me, asking me to reactivate, choose my colours, pick my brands. Why canโt they just forget all about me? Or, for a perhaps more serious example, how often do we hear stories about people who lose out on job opportunities for which they would be very well-suited, just because of youthful indiscretions that still come up high in online search results?
Thatโs another important aspect of the GDPR: the right to be forgotten. Under these new rules, people can go back to service providers and revoke the consent to use their data, requiring the provider to remove all records and essentially erase them, giving them a fresh start. Now, this may not be without consequences (some services canโt be provided without personal information) and may not always be applicable (sometimes personal information has to be kept for reasons of public interest or relating to legal claims), but itโs certainly a lot more effective than sending an โunsubscribeโ email, blocking the senderโs email address, and hoping for the best.
How does this apply to the domains world?
You might be thinking, โIโm not even in the EU! Why does it matter?โ Are you a reseller with clients in the EU? Does your business have the potential to process the data of EU-locals*? You now need to ensure that youโre obtaining permission from these customers to use their personal data and meeting the updated requirements surrounding its handling. This should involve a talk with your lawyer(s). Though weโre making an effort to provide resources and context, the information weโre providing should not be considered legal advice. Seeking professional, legal counsel from someone who is familiar with your specific situation is critical.
If youโre an OpenSRS reseller, youโll also need to familiarize yourself with the platform-wide changes weโll be making (I recommend subscribing to receive GDPR updates). Among other changes, weโre working on amending our Agreements with our resellers, including Privacy Agreements, to allow resellers full access to the info in the Control Panel without any concerns around GDPR violations.
While the rules outlined in the GDPR apply only to EU-local individuals*, changes to how data is collected and handled may happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations. We will try to minimize any disruption to our domain management and registration processes for registrants and resellers.
Going back to the โdata privacy by design and by defaultโ idea, what it means is that all these regulations around protecting personal information canโt just be afterthoughts, they need to be โbaked inโ, part of the system thatโs on unless you turn it off. Weโll be empowering our clients to understand what information we hold and how itโs used, to give consent to us for that use, and to request erasure of data in cases where consent cannot be provided.
Changes weโre making at OpenSRS
These data privacy protections touch almost every aspect of the domain onboarding process and lifecycle. Weโre working through our detailed plans now, and will soon be able to share more information about our implementation; today I will share some highlights. As we work through this project, weโre keeping two things in mind: our need to operate within the bounds of legal requirements, and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end-user.
Thinking about consent, weโll implement a post-purchase consent process, similar to the Registrant Verification request we send when a new domain is registered. We may combine the two into a single request if both verification and consent are needed at the same time. Watch for details on this process in upcoming blog posts and our GDPR page.
We already store your data securely, but weโre doing some internal review to see how we can strengthen our protections to keep information safe. Thinking back to the example of the marketing company who shared info with third-party companies, I want to make it clear that Tucows does not share personal data beyond whatโs needed to provide the service that the client ordered. We never sell our clientโs personal information, and we certainly arenโt going to start now.
Although in a perfect world every domain would stay with Tucows forever, I know that, realistically, some people want to use other Registrars, or donโt want to renew every domain they have registered until the end of time. And when theyโre no longer our client, they may not be comfortable with Tucows storing their personal data. Thatโs where the right to be forgotten comes in; weโll be reviewing our data retention procedures, and putting in place a method for people to request erasure of personal data from our platform. As I said earlier, this is not without consequences, but in some cases (like my ill-fated makeup box subscription) itโs necessary.
Conclusion and next steps
I hope that this overview of the GDPR and the changes weโre looking at making has been helpful, and explains why this new regulation is important not only for our European clients but for our resellers worldwide. I know itโs a lot of information, and that you have many questions. Weโll be reaching out to resellers on implementation details soon, and keeping you informed as we move through this process. Until then, check out our blog and GDPR page for more details as May 25, 2018, approaches!
*Initially, this post employed the terms “EU citizens” and “EU customers” in place of “EU-local individuals.” The term “EU-local individuals” was introduced to provide clarity.
Learn more about the GDPR:
GDPR Updates – Understand OpenSRSโ approach to the policy
- OpenSRS Contract Changes (Published on Mar. 5, 2018)
- Right to Erasure (Published on Jan. 18, 2018)
- Obtaining Consent (Published on Dec. 21, 2018)
- Whois Changes (Published on Nov. 9, 2017)
GDPR Roundups – View third-party resources on a specific GDPR topic
- Righ-to-erasure-related resources (Published on Feb. 1, 2018)
- Consent-related resources (Published on Dec. 21, 2017)
- Whois-related resources (Published on Dec. 7, 2017)
- GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)