Latest update: October 30, 2017

You’ve probably heard mention of the GDPR, and likely have many questions about its scope, implications, and potential effects, both on your own business, and for the domain industry as a whole. As May 25, 2018, approaches, we’ll continually update this page to provide you with helpful context, resources, and updates on what OpenSRS is doing to prepare.

What is the GDPR?
When is the GDPR going into effect?
What is the purpose of the GDPR?
How will the GDPR impact your business?
How should you prepare?
How is OpenSRS preparing?
Resources


What is the GDPR?

The European Union’s General Data Protection Regulation (“GDPR”) lays out a new set of rules for how the personal data of people living within the EU (“EU-local individuals”) should be handled. Though it’s complex and far-reaching, at a high level, the GDPR can be understood in terms of three fundamental concepts:

 1. Consent and Control

Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business taking personal data must not only obtain consent, but also explain what they need the information for. What’s more, they’re only allowed to collect the minimum amount of information required to get the job done, and can’t use the info for any purpose other than that to which the individual initially agreed. This puts the individual in charge of how their info is used from the very start.

2. Transparency

The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. Anyone whose information may have been exposed must be notified as soon as possible, and that notice should include an explanation of what happened, what’s being done to fix it, and what those affected should do to protect themselves. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy.

3. The right to be forgotten

Under these new rules, EU-local individuals have the right to revoke consent for a service provider to use their data. When this happens, the provider must essentially erase all record of the individual, giving them a fresh start. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims.


When is the GDPR going into effect?

The GDPR comes into full effect on May 25, 2018. We recommend that you start preparing now.


What is the purpose of the GDPR?

The GDPR helps protect individual privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance.

The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states.


How will the GDPR impact your business?

The GDPR impacts you if you have customers who live in the EU (“EU-local individuals”). You now need to ensure that you’re obtaining permission from these customers to use their personal data, and meeting the updated requirements surrounding its handling. Before the GDPR comes into effect in May 2018, you’ll want to make sure you’re compliant. We recommend you get started now by talking to your lawyer(s) about what this means for your business, specifically. While the rules outlined in the GDPR apply only to EU-local individuals, changes to how data is collected and handled may happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations. We will try to minimize any disruption to our domain management and registration processes for registrants and resellers.


How should you prepare for the GDPR?

It’s important to get started now so you’re able to fully understand the implications the GDPR could have upon your business, and plan effectively to meet the updated requirements. This should involve a talk with your lawyer(s). Though we’re making an effort to supply resources and context, the information we’re providing should not be considered legal advice. Seeking professional, legal counsel from someone who is familiar with your specific situation is critical. We encourage you to watch this page for updates and take a look at the resources below. You can continue reading for more information on how what we’re doing to prepare.


How is OpenSRS preparing?

We’re working through our detailed plans now, and will soon be able to share more information about our implementation. Sign up for our email updates to stay informed.

We will be keeping two things in mind:

  1. Our need to operate within the bounds of legal requirements
  2. Our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end-user.

Here’s what you can expect

We’ll implement a post-purchase consent request, similar to the WhoIs Verification request we send when a new domain is registered. We may combine the two into a single request if both verification and consent are needed at the same time. Resellers using our New Messaging Center can rest assured and we’ll do our best to make sure that any changes we make will not break your existing customizations. Stay tuned for more details on new message templates and snippets.

We already store your data securely, but we’re doing some internal review to see how we can strengthen our protections to keep information safe. We’ll also be reviewing our data retention processes, and putting in place a method for people to request erasure of personal data from our platform.

We would like to reinforce this point: Tucows does not share personal data beyond what’s needed to provide the service that the client ordered. We never sell our client’s personal information, and we certainly aren’t going to start now.


Resources

Understanding the GDPR
EUGDPR.org
GDPR (full policy PDF)
Top 10 operational impacts of the GDPR
ICANN: Data Protection/Privacy Issues
GeoTLD.Group: GDPR Info Page
Sign up to receive updates 

We would like to reinforce this point: Tucows does not share personal data beyond what’s needed to provide the service that the client ordered. We never sell our client’s personal information, and we certainly aren’t going to start now.