OpenSRS’ Reseller GDPR Checklist

Any time there’s a dramatic shift in our industry, we focus on minimizing the impact on our resellers and providing you as much information and assistance as possible. Admittedly, our GDPR communications work has proven fairly challenging, in part because we’ve simply never seen a shift quite as dramatic as that prompted by the GDPR. While we wanted to equip our resellers with specifics about our implementation plan and a concrete list of action-items right from the get-go, developing long-term solutions that both achieved GDPR compliance and established processes in which registries, registrars, and resellers can play their specific, essential roles required considerable collaborative efforts from players across our industry.

There’s still much work to be done, but today we’re happy to be able to offer a concrete list of GDPR action-items for OpenSRS Resellers and helpful resources in the form of flowcharts, example landing pages, and FAQs. We’re even happier to say that the to-do list is a short one which will likely require minimal work on your end.

Having said that, we must remind you that legal counsel is an essential part of any comprehensive GDPR compliance strategy. This checklist is not legal advice, and ensuring its completion by no means guarantees your compliance with the GDPR. Speak with a lawyer who is familiar with your business and equipped to judge whether your internal practices achieve compliance.

Reseller Action-Items

Most of these items will necessitate adjustments on your end. You may determine that some do not require action on your part, but all are significant and important for our clients to understand.

1. Make Sure You’re Familiar with Our Newly Introduced Consent Management Process

Moving forward, OpenSRS (accredited as Tucows Domains Inc.) will reach out to end-users to request their consent to process certain pieces of personal information. This “Consent Management” flow involves the sending of a request email which contains a link to the registrant’s unique Data Use Consent Settings page. This Data Use Consent Settings page serves as the registrant’s means to view their settings, manage their settings, and withdraw consent, should they choose to do so. It also contains a link to the Data Use Information page, which provides more information about how personal data is processed.

To the registrant, it’s a straightforward experience that makes clear Tucows’ relationship with their Registration Service Provider (Reseller). We recommend you take a look at these samples, so you’re aware of what this process will involve for your customers:

Consent Management Sample Flow – New Registration
Consent Sample Management Flow – Consent Choice Change

Resellers will be able to view the GDPR consent status for each domain they have under management from the “Domain Settings” section of the OpenSRS Control Panel. If you’d like more information on why we require the end-user’s consent to process certain personal data, please check out our Consent blog post.

2. Understand How to Provide Your Customers Access to Their Data Consent Settings Page

According to the GDPR, “It shall be as easy to withdraw as to give consent.” With this in mind, we’ve provided our resellers two straightforward options to email a registrant the URL for the registrant’s Data Use Consent Settings page upon request:

  • Option 1: Via the API using the gdpr_send_consent_reminder_email command.
    Resellers can use this command to integrate into their own end-user portal an option for users to request that the Data Use Consent Settings page URL be sent to the registrant email.
  • Option 2: Via the soon-to-be-available “Send Consent Email” option in the Reseller Control Panel.
    Resellers can use this new button in the “Domain Settings” section of the Reseller Control Panel to send out the Data Use Consent Settings page URL to the registrant email listed for any domain in their account.

3. Ensure You’re Prepared for our Updated Domain Transfer Process

Once the public Whois “goes dark” in the days leading up to May 25, 2018, OpenSRS will begin using a new process for domain transfers. You can find the details in our “Domain Transfer Process Changes” knowledge base article. It is important for our resellers to be aware that:

  • All resellers should use the sw_register API call for inbound transfers and include the transfer authorization code (EPP code) via the newly introduced “auth_info” parameter.
  • The simple_transfer API call, which currently requires the authorization code but not the domain contact data, will be temporarily suspended as of May 25, 2018.

Here’s a snapshot of the updated process:

4. OpenSRS Is Moving to a Gated Whois System

For the full scoop, refer back to our Whois Changes blog post; for today, just keep in mind that after that go-live date, most public whois servers will cease the publication of personal data, and providers will start offering a “gated” or “tiered access” Whois system. OpenSRS resellers don’t need to make any changes — your own clients’ data will continue to appear in your Control Panel, and we’ll take care of making sure the public Whois output is fully compliant with privacy regulations, so you’re good to go.

These changes are also summarized in this quick PDF.

5. Our Updated Master Services Agreement Now Requires That Resellers Process Data in a GDPR-Compliant Manner

Hopefully, you’re well on your way to compliance with the GDPR. OpenSRS has updated our Master Services Agreement (MSA) to include information about the consent management process and the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions. We encourage you to familiarize yourself with all the recent GDPR-related changes we’ve made to our MSA by taking a look the updated version.

6. We’ve Updated Our Agreement with Registrants

Our Domain Registration Agreement, also referred to as Exhibit A, serves as the service contract between OpenSRS (accredited as Tucows Inc.) and the domain owner (registrant). We don’t expect the GDPR-related updates to our Exhibit A to be reseller-impacting, these changes primarily relate to the registrant’s consent management flow and the data retention and erasure policy. Keep in mind that all resellers need to display this updated agreement to customers as part of the domain registration process.

Reseller Resources

All important OpenSRS resources relating to the GDPR can be found in our central GDPR Knowledge Base article, but for convenience, we’ve also listed them below. We hope the following resources help our reseller partners assist your clients with GDPR-related changes:

Overview

Our GDPR Webinar
Central GDPR Knowledge Base article & FAQ

Specific Platform & Process Changes

Consent Management

Consent management sample flow – consent choice change
Consent management sample flow – new registration
Consent management FAQ

End-user consent request emails – The means by which we send the Data Use Consent Settings page URL (see below) to the registrant.
Data use consent settings pages – The location from which a registrant can set, view, and update their consent preferences or revoke consent.

Domain Transfers

Transfer process changes infographic – a before and after GDPR comparison
Domain transfer process changes knowledge base article
Transfer-in email example
Transfer-in landing page example

Whois Changes

Whois Changes Overview PDF
Whois Changes FAQ

API Changes

A new gdpr_send_consent_reminder_email command has been introduced.
A new “auth_info” parameter for the sw_register command has been introduced.

Changes to our Legal Agreements

Updated Master Services Agreement
Updated Domain Registration Agreement
Data Processing Addendum

And there you have it. We appreciate that for those resellers affected by the GDPR, achieving compliance has involved a great deal of internal work, in addition to that required to accommodate the changes OpenSRS is making to our platform. And while we’ve made every effort to keep this Reseller Checklist short and easy-to-implement, we know, as members of that same complex registry-registrar-reseller channel in which you operate, that small changes made by one player can have a big impact on others. We view our GDPR implementation work as essential to ensuring that the OpenSRS platform evolves to meet the long-term needs of our resellers and the demands of a highly interconnected internet ecosystem. Greater control over one’s personal data is a good thing, and we’re happy to be able to extend to all users on our platform the rights and protections outlined in the GDPR.