Latest update: March 6, 2018
A high-level overview of this
Our Approach to the GDPR
A look at what we’re doing to achieve compliance.
Answers to common questions related to OpenSRS’ approach.
The European Union’s General Data Protection Regulation (GDPR) lays out a new set of rules for how the personal data of people living within the EU (“EU-local individuals”) should be handled. The policy comes into full effect on May 25, 2018, and we recommend that you start preparing now by speaking with a lawyer and familiarizing yourself with the information we’ve provided here.
Though it’s complex and far-reaching, at a high level, the GDPR can be understood in terms of three fundamental concepts:
1. Consent and Control
Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business collecting and processing personal data must not only obtain consent to do so, but must also explain what they need the information for. What’s more, they’re only allowed to collect the minimum amount of information required to get the job done, and can’t use the info for any purpose other than that to which the individual initially agreed. This puts the individual in charge of how their info is used from the very start.
The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. In the event of a breach, anyone whose information may have been exposed must be notified as soon as possible, and that notice should include an explanation of what happened, what’s being done to fix it, and what those affected should do to protect themselves. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy.
3. The right to be forgotten
Under these new rules, EU-local individuals have the right to revoke consent for a service provider to use their data. When this happens, the provider must essentially erase all record of the individual, giving them a fresh start. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims.
The GDPR helps protect privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance.
The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states.
The GDPR impacts all OpenSRS clients, as the changes we are making in response to the GDPR will be applied platform-wide. It also affects you if your business processes, or has the potential to process, the personal data of individuals living in the EU, regardless of whether you actively sell services in the EU. You now need to ensure that you’re obtaining permission from these customers to use their personal data, and meeting the updated requirements surrounding its handling. Before the GDPR comes into effect in May 2018, you’ll want to make sure you’re compliant. We recommend you get started now by talking to your lawyer(s) about what this means for your business specifically.
While the rules outlined in the GDPR apply only to EU-local individuals, we plan to adopt a broad, one-size-fits-all approach* to implementation, and changes to how data is collected and handled may happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations. Rest assured, we are doing everything we can to minimize disruption to our domain management and registration processes for both registrants and resellers.
Our Guiding Principles
In designing our approach to GDPR compliance, we’re keeping two things in mind: our need to operate within the bounds of legal requirements, and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end-user.
We’d also like to take a moment to reinforce this point: Tucows (our parent company) does not share personal data beyond what’s needed to provide the service that the client ordered. We have never sold our clients’ personal information, and we certainly aren’t going to start now.
The GDPR’s scope of applicability may appear to be limited to the European Union, but we are working toward a unified implementation plan* that will extend the same heightened privacy protections to all OpenSRS reseller partners and end-users, regardless of their location. This streamlined solution ensures that our platform is secure and GDPR-compliant, and recognizes that there are privacy laws worldwide, beyond the GDPR, which must be respected.
Here’s a high-level look at how we’ve broken down the GDPR and the steps we are taking to achieve compliance by May 25, 2018. In the drop-down menu below, you’ll find resources that provide greater context and additional information on specific topics.
Resources Related to Our Approach
Right to be forgotten
Looking for more? Check out our Additional Resources.
How will Whois change?
OpenSRS will implement a new, “gated Whois” system. Under this new system:
- The registrant, admin, and technical contact information for registered domains will no longer be visible in the public Whois database.
- “Full” Whois data for registered domains will only be accessible to legitimate and accredited third-parties, such as law enforcement, members of the security community, and intellectual property lawyers.
- This “full” Whois data will be limited to those personal data elements that we have obtained permission to process, either via contract or via consent of the data subject.
This switch to a gated Whois is being made in an effort to reconcile our GDPR-imposed restrictions with our ongoing obligations as an accredited registrar. As of May 25, 2018, registrant information—name, organization, address, phone number, and email—will be considered personal data that can no longer be published in the public Whois. However, we feel authenticated access to this information, in a specific and limited manner, should be provided to those with legitimate reason to request it. A gated Whois system will allow for this, while also ensuring that private information remains guarded from the general public.
You can view a snapshot of what these changes will look like or, for more context, you can read our full Whois Changes post. We’ve also curated a list of resources that provide helpful context and insight into how other key players are thinking about the future of Whois.
Do we still need Whois privacy?
Regardless of any changes to the Whois system, Whois privacy will remain a valuable service to registrants worldwide. Even when the public Whois “goes dark”, it is certain that there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data may no longer be the entire public, it will still be sizable. This is where Whois privacy comes in — if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as part of GDPR data protection. In addition, the personal data associated with a domain that is protected by Whois privacy will not be shared with registries.
How will OpenSRS obtain the data subject’s consent?
We continue to evaluate our plans; at this point, we can say that once the GDPR is in effect, we’ll introduce at least two new consent-related processes:
1. An initial consent request to end-users:
We’ll begin the practice of sending every new domain owner a consent request once their initial domain registration request has been processed. Here we will disclose all the uses of personal data that are required by contract in order for us to provide the requested domain service. At this time, we will also request consent from the data subject for those data uses where our legal basis is their consent.
2. A method for end-users to update consent preferences and revoke consent:
Once the initial consent is granted, each domain owner will be given access to a consent management page where they may review and modify their consent choices on an ongoing basis, or revoke their consent at any time.
We are still finalizing the specific workflows that we will use to obtain consent from our registrants, not to mention our resellers. Whatever method(s) we do choose will:
- Request consent for any data elements that are not required by contract,
- Require affirmative consent, rather than an opt-out method, and
- Be integrated with the existing domain lifecycle.
What personal data will OpenSRS process“via” contract?
Any data that must be processed in order to register a domain, or provide any other type of service, will be covered under contract. We will be updating our Registration Agreement and Master Services Agreement to include mention of all these essential pieces of data:
- First name
- Last name
- Organization (if provided)
- Email address
Certain registries require additional information in order to complete domain registrations, and in these cases, we will include in our contract a point about processing those additional pieces of registrant data.
Back to Reseller FAQ
What personal data will OpenSRS process “via” consent?
We will request consent from the data subject when:
- We give the option of processing any piece of personal data that isn’t essential or necessary to provide the service. For example, for most domain registrations, we don’t require the registrant to provide their phone number, but by collecting this piece of data we are able to provide a backup verification method.
- The data is required by a third party, with whom we do not yet have a GDPR-compliant contract. For example, a registry might require that the registrant’s postal address be on file in order to complete a domain registration. If we don’t have a GDPR-compliant contract with this particular registry, we would have to request consent from the data subject to process and share this extra piece of personal data before completing the registration.
Resources From OpenSRS
*Previously, we had discussed plans to apply our internal, GDPR-related process changes only to EU-locals. We have since changed our approach and now plan to apply these changes platform-wide.