GDPR and domain name resellers, 20 million reasons to read this.

Companies will face very harsh punishments for infringements under the GDPR. Art. 83 Paragraph 5 of the GDPR offers the supervising authorities the possibility of imposing fines of up to 20 million Euro or, for corporations, up to 4% of the worldwide turnover of the preceding financial year.

 

Tick tock, tick tock, goes the clock
The EU GDPR will go into effect May 25th, 2018. It looks like there is still a lot of time, but actually, there is not much time left to prep your organization for the GDPR!

Most of your company’s operations will be affected by the GDPR, from your human resources to your marketing department. Policies and processes need to be reviewed, altered and communicated. Privacy by design will be key.

From a wholesale registrar perspective, the impact of the GDPR in combination with domain names is relatively low.
However, the impact for you as a reseller is a massive one.
In respect to registering domain names, your company, as the data collector, sends a lot of Personally Identifiable Information (PII) all over the globe. Be it a ccTLD registration or a gTLD registration.
The GDPR will affect all of our resellers who deal with European citizens as customers even if you, as a reseller are not located in the EU.

We at Realtime Register will, however, assist you in the upcoming struggle.

Privacy protect
As you may have read in one of our previous blog posts, we will offer our privacy protect services for free for our resellers.
This will make sure that you can comply with the EU GDPR and ICANN regulations without too much hassle. We strongly suggest to evaluate your customers and see who will require this service. The easiest and safest way is to use Privacy protect by default for your customers.
For Dutch resellers, who have so-called ZZPers as customers, by law they are exempt from the demanded privacy. However, the GDPR did not take into account how these self-employed business owners should be treated, as the lines between being a professional and a natural person often cross each other.
If you make mistakes here and you forget to enable privacy protect and your customers PII is unprotected, you will be risking the high fines as mentioned earlier. Forgetting about (overlooking) a customer or customers could result in a data breach.

Currently, we are working with a leading juristically advice agency to set up a deal for several services including the new agreements and privacy statement you will need; more details will follow soon.

Some aspects of exporting PII data outside the EU and ccTLD registries (and several others) are still not clear. We will inform you about this as soon as there is more clarity on this subject.

The bottom line, when it comes concerning the GDPR to the GDPR, think twice about how you deal with PII. Be prepared the GDPR will be affecting your business in more ways than you expect.

Other geographical areas
China already introduced severe privacy laws, and companies need to comply early 2018. Overall there are over 100 countries with data protection laws, and 46 countries are currently drafting data protection laws similar to the GDPR.

It is a shame that ICANN and a lot of Registries do not support the privacy by design principle, at the moment, this would have made our lives a lot easier. Perhaps ICANN and Registries should consider the following.

On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights.

Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

So let us be sensible about privacy.

 

 

 

 

EU GDPR, is consent the Silver Bullet for Domain Name Registrations?

Update:28-11-2017

According to the Dutch DPA, consent is not the silver bullet. 

https://autoriteitpersoonsgegevens.nl/en/news/dutch-dpa-unlimited-publication-whois-data-violates-privacy-law

This will make ccTLD registrations outside of the EU for natural persons very problematic and perhaps such registrations should be avoided, though this is not legal advice in any shape or form. 

Consent is often cited as the Silver Bullet to transfer data outside of the EU.The requirements, however, can be rather complex given the fact how registries/ICANN process and control the data.

The rules according to Art.6.1(b).

Data subjects are provided with a clear explanation of the processing to which they are consenting; The consent mechanism is genuinely of a voluntary and “opt-in” nature;
Data subjects are permitted to withdraw their consent easily;
The organization does not rely on silence or inactivity to collect consent (e.g., pre‑ticked boxes do not constitute valid consent);

  • Be specific and granular. Vague or blanket consent is not enough
  • Name any third parties who will rely on the consent
  • Make it easy for people to withdraw consent and tell them how
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity

Purpose
Consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes unless this would be unduly disruptive or confusing. As a minimum, consent must specifically cover all purposes.

Consent shouldn’t be.
Recital 32 also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

Principles of data protection
In data protection, there is the fundamental principle which is unchanged even in the age of Big Data.

The data subject has to be in control of her/his data, which means for consent that you need consent for every each of the data processing activities (even for minor changes in the processing)

Scope

Considering that Registrars and Domain Name Resellers do business with more than 1000’s of TLDs located in more than 200 countries the complexity of getting consent “right” seems to be very difficult and complex and not recommended for domain name registrations.

The Right to be forgotten.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessarily about the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation

The above adds another layer of complexity. Some Registries will delete the data of the data subject; some don’t. Currently, it is unknown which policies the registries have in place. In short, consent adds a whole layer of organizational challenges. It is assumed that the withdrawal of consent does not automatically imply that the service can be terminated as consent was not ““freely given”, a requirement of the GDPR.

Given the fact how the public WHOIS system works it is unknown how the right to be forgotten should work in practice within the DNS.

More information about consent can be read here.

 

The most important GDPR requirements at a glance

The article below is a partial copy of this fact sheet by Legalist and was used with its consent. (De Nederlandstalige versie staat hier)

The General Data Protection Regulation (GDPR) is a new pan-European privacy law. From 25 May 2018, your organization must comply with this strict new law. So, what is changing? And what do you need to change?

1. Your activities are much more likely to be covered by eu privacy legislation
If your organization processes personal data of a person who is in the EU, you must comply with the GDPR. It does not matter if your organization is not established in the EU or if the processing does not take place within the EU. And if there was any doubt before: the definition of personal data now explicitly includes online identifiers, such as IP and MAC addresses or a cookie-ID.

2. Your privacy statement must be even more transparent
You must explain clearly and fully, using plain language, how you use personal data and why. Furthermore, you must advise people of their rights, such as the right to view their data, to amend or erase it if there are clear mistakes, to object to excessive processing, and to take their data to another service provider. If you create interest profiles, you must be able to destroy them upon request. Finally, you should not forget to explicitly advise people of their right to file a complaint with the supervisory authority, as this is now required by law.

3. You must also publish an internal privacy policy
You need to document how personal data is handled and secured within your organization. Raising awareness of this policy among employees is key. Periodic training will also be required.

4. You must keep records of all personal data processing activities
The records must include, among other things, a description of the personal data processed, the purpose for processing them, and how they are protected. This obligation applies to organizations with more than 250 employees, but also to The most important GDPR requirements at a glance with fewer than 250 employees provided they process personal data on a regular basis or they process special categories of personal data.

5. You must document all data breaches internally
Under current privacy legislation, you are required to document only those data breaches that you are obliged to report to the supervisory authority. The GDPR makes it compulsory to document all data breaches internally, even those which you are not required to report. If you process personal data on a client’s behalf, the GDPR also imposes a legal obligation to report all data breaches that occur during such activities to the client, so that they can notify the supervisory authority.

6. You need to know where your personal data is stored, and may need extra safeguards
If you store personal data with a third party abroad, you must check whether the data is stored within or outside of the EU. The latter is only permitted if the third party meets strict legal requirements, e.g. the country in question has been certified by the European Commission. With regard to third parties in the United States, the so-called Privacy Shield offers the necessary safeguards. However, please note that customers may demand that their data simply does not leave the EU at all.

7. Your data processing agreements with suppliers and customers must be revised
The GDPR contains more specific requirements for data processing agreements, which must be concluded if you process personal data on behalf of another organization, or if another organization processes personal data on your behalf. For example, if you process personal data on behalf of another organization, you need permission before subcontracting any processing operation.

8. You must carry out a thorough privacy impact assessment (pia) for risky activities
A PIA is an extensive assessment intended to identify privacy risks, and to eliminate such risks as much as possible so that privacy is not put in jeopardy beyond what is strictly necessary and proportionate. You may not carry out a processing activity which poses a risk to privacy until after the PIA has been conducted and its outcomes have been implemented.

9. You must better minimise the personal data you process and store
Even though current privacy legislation already requires data minimisation, you may be keeping data longer than necessary, ‘because you never know’. Under the GDPR you must take active steps to erase information as soon as it has lost its relevance. You must also put in place policies for the assessment of the relevance of information and its erasure in case of irrelevance.

10. You must implement ‘privacy by design’ and ‘privacy by default’
This means that privacy considerations must be identified and incorporated at every step in the development process. In addition, the default settings of any new service must be as privacy-friendly as possible.

11. You may be asked to stop profiling, or explain exactly what you are doing
If you create interest profiles or risk analyses for your clients, visitors, etc., you must be able to explain to them how you do this and why at their request. This also applies to activities which may seem trivial or highly ordinary, such as cookies for personalized advertising.

12. Your security measures must be fit for purpose, both now and in the future
The security of personal data is crucial. In this day and age, if you don’t restrict access to only those users with a need-to-know, using strong (multi-factor) authentication and encryption, if you don’t use TLS, firewalls, anti-virus software, or if you don’t patch your software and systems in time, you are at serious risk. You are also at risk if you do not regularly evaluate and update your security measures.

13. You must be able to handle requests from persons about their personal data
The GDPR provides more rights to individuals to access, correct or erase their data, or take their data with them to another provider. Under normal circumstances, any request from a person regarding their personal data should be handled within one month. Is your helpdesk up to speed.

14. You may need to appoint a data protection officer (dpo)
A data protection officer is an independent person who advises and reports on GDPR compliance. Appointing a DPO is compulsory if you process more sensitive personal data (such as medical records) on a large scale, or if you are engaged in regular and systemic monitoring of people’s activities on a large scale. The DPO can be appointed either internally or externally, for example one of Legal ICT’s (virtual) privacy officers.

15. You may need to offer ‘data portability’
If you offer an online service that allows people to store their personal information, they must be able to export all their information in a commonly used digital format for transfer to another organization. This might involve downloading photos, social media posts or forum contributions.

16. You may need to pay special attention to biometric data
Does your organization make use of fingerprints or other biometrics, e.g. for access control? Then you need to comply with the GDPR’s strict protection regime for biometric data.

17 You need to comply, to avoid higher fines which are drastically higher
Under the GDPR, the supervisory authorities may issue penalties of up to the higher of 20 million euro or 4% of global turnover. Privacy now really requires boardroom attention.

Conclusion

All in all, many changes that will require your attention. At Realtime Register are aware that personal data affects many of our processes. This will also apply to our reseller’s processes. We are working hard to incorporate these requirements in a reseller- and customer-friendly manner. We will keep you informed through this blog and other information channels.

De belangrijkste eisen van de AVG

Het onderstaande artikel is met toestemming grotendeels overgenomen van het factsheet Algemene Verordening Gegevensbescherming door ICTRECHT.

Een nieuwe privacywet voor heel europa, dat is wat de Algemene Verordening Gegevensbescherming (AVG of GDPR in het engels) ons brengt. Vanaf 25 mei 2018 moet ook uw organisatie voldoen aan deze strenge nieuwe wet. wat gaat er nu allemaal veranderen?

1. Uw activiteiten vallen veel sneller onder de privacywet
Het centrale begrip ‘persoonsgegevens’ verandert namelijk: naast bestanden met namen, adressen en dergelijke vallen nu ook gegevens gekoppeld aan IP-adressen, MAC- adressen, cookies en dergelijke onder de wet. Ook als u niet weet hoe de persoon achter een cookie heet, dient u dat gegeven te behandelen als privacygevoelig.

2. Uw privacyverklaring moet nóg transparanter
U moet in eenvoudige taal precies  en volledig uitleggen (in een privacyverklaring) wat u doet met persoonlijke gegevens. Ook moet u mensen wijzen op hun rechten, zoals dat men gegevens mag aanpassen, het dossier mag inzien of zelfs laten vernietigen. Bouwt u interesseprofielen op, dan moeten die op verzoek kunnen worden verwijderd. Bovendien moet u ze wijzen op de mogelijkheid een klacht in te dienen bij de toezichthouder, de Autoriteit Persoonsgegevens.

3. Alle datalekken moeten intern worden gedocumenteerd
Volgens de huidige privacywet hoeft u alleen datalekken bij te houden wanneer u ze ook moet melden aan de toezichthouder. De AVG stelt het verplicht om alle datalekken intern te documenteren, óók datalekken die niet te hoeven worden gemeld. En verwerkt u privacygevoelige data voor uw opdrachtgevers? Dan bent u straks wettelijk verplicht alle datalekken daarbij aan hen te melden, zodat zij dit weer aan de toezichthouder kunnen melden.

4. U moet alle verwerkingen van persoonlijke gegevens documenteren, ook de triviale zoals uw personeelsadministratie of de nieuwsbrief
In dit register moet onder andere staan welke persoonsgegevens er verwerkt worden, voor welke doeleinden, en hoe deze gegevens beveiligd worden.

5. U moet met al uw leveranciers en afnemers een zogeheten verwerkersovereenkomst sluiten.
In de verwerkersovereenkomst (heet tot ingang van de AVG nog bewerkersovereenkomst) maakt u specifieke afspraken over de omgang met persoonlijke gegevens. Een belangrijk aandachtspunt daarbij is dat wanneer u diensten uitbesteedt waarbij persoonsgegevens van een klant zijn betrokken, u hiervoor toestemming nodig hebt van die klant.

6. De boetes worden gigantisch
De maximale boete per overtreding van de huidige privacywet is nu 900.000 euro. Dit verandert met de komst van de AVG naar 20 miljoen euro of 4% van de wereldwijde jaaromzet. Bovendien komt er komt een Europees Comité dat toeziet op de juiste toepassing van de AVG.

7. Mogelijk heeft u een privacy officer nodig
Een privacy officer, oftewel functionaris voor gegevensbescherming (FG), is een onafhankelijke persoon binnen de organisatie die adviseert en rapporteert over naleving van de AVG. Deze is verplicht wanneer u op grote schaal gevoelige persoonsgegevens zoals gezondheidsgegevens verwerkt, of als u structureel mensen observeert (fysiek of digitaal). Een FG kan iemand zijn die intern aangesteld wordt, maar mag ook iemand zijn die extern aangesteld wordt, zoals een (virtuele) privacy officer van ICTRecht.

8. Zitten er risico’s aan een verwerking, dan moet u een complete privacy impact assessment (pia) uitvoeren
Dit is een uitgebreid onderzoek om privacyrisico’s in kaart te brengen en deze zo veel mogelijk weg te nemen. Pas nadat de PIA is uitgevoerd en de resultaten geïmplementeerd, mag u die risicovolle verwerking uitvoeren.

9. U moet zo min mogelijk privacygevoelige informatie verzamelen en deze zo snel mogelijk weer weggooien
Vanuit de gedachte van risicobeheersing vereist de AVG dat u het minimale aan persoonsgegevens onder u heeft. U moet dus actief informatie weggooien wanneer deze niet meer relevant is – en u moet beleid hebben dat uitwerkt wanneer iets wel of niet relevant is, en hoe het weggooien dan veilig wordt gerealiseerd.

10. Uw software en diensten moeten van de grond af rekening houden met privacy
Dit wordt ook wel ‘Privacy by design’ en ‘Privacy by default’ genoemd. Kort gezegd moet bij elke stap in de ontwikkeling de privacyaspecten worden benoemd en meegenomen in de uitwerking. Daarnaast moeten standaardinstellingen van een nieuwe dienst zo privacyvriendelijk mogelijk zijn.

11. uw beveiliging moet op orde zijn – en blijven
Beveiliging van persoonlijke gegevens is cruciaal vandaag de dag. Zonder encryptie, tweefactorauthenticatie en het kunnen scheiden en veilig wissen van persoonlijke informatie neemt u een zeer groot risico. Verder zullen uw ICT-systemen regelmatig moeten worden onderzocht op nieuwe risico’s.

12. U dient intern privacybeleid te publiceren waarin staat wie welke rol heeft bij de omgang met persoonsgegevens
Het is belangrijk dat medewerkers hiervan op de hoogte zijn. Zij moeten dus worden getraind, en dit moet regelmatig worden herhaald.

13. U moet kunnen omgaan met verzoeken van personen, zoals een verzoek om inzage of correctie in hun gegevens
Maar wanneer u verouderde gegevens heeft moeten deze worden gewist op verzoek. Een verzoek van een betrokkene over zijn persoonsgegevens moet normaal binnen een maand inhoudelijk afgehandeld zijn. Is uw helpdesk hier al op ingericht?

14. Heeft u online diensten waarin mensen persoonlijke informatie opslaan?
Heeft u online diensten waarin mensen persoonlijke informatie opslaan? Dan moeten zij in staat zijn al hun informatie te kunnen exporteren in een standaardformaat, zodat zij die naar een andere organisatie kunnen overdragen. Denk aan downloaden van foto’s, socialmediaberichten of forumbijdragen.

15. Werkt u met buitenlandse partijen, controleer dan of zij binnen of buiten de eu persoonlijke informatie voor u opslaan
Dat laatste is alleen toegestaan als er wordt voldaan aan strikte regelgeving, bijvoorbeeld als het land in kwestie door de Europese Commissie gecertificeerd is. De VS is dat: het zogeheten Privacy Shield biedt de nodige waarborgen voor gebruik van Amerikaanse partijen. Maar let op: uw klanten kunnen van u eisen dat data gewoon in het geheel niet de EU verlaat.

16. Maakt u interesseprofielen of risicoanalyses van uw klanten, bezoekers et cetera?
Maakt u interesseprofielen of risico-analyses van uw klanten, bezoekers et cetera? Dan moet u hen op verzoek kunnen uitleggen hoe dat gebeurt en wat u daarmee doet. Dit speelt al bij het gebruik van cookies voor advertentiedoeleinden.

17. Maakt uw organisatie gebruik van vingerafdrukken of biometrie, bijvoorbeeld voor toegangsbeveiliging?
Dit ligt gevoelig onder de AVG, omdat dergelijke biometrische gegevens een streng beschermingsregime genieten.

Tenslotte

Al met al veel wijzigingen die de aandacht van de ondernemer eisen. We realiseren ons bij Realtime Register dat persoonsgegevens veel van onze processen raken en dat geldt natuurlijk ook voor onze resellers. We al geruime tijd bezig om op een reseller- en klantvriendelijke wijze de eisen in te passen. Via dit blog en andere informatiekanalen houden we u op de hoogte.

ICANN, Thick WHOIS Migration Delay & Pray

The migration of the Verisign Thick WHOIS has been delayed until 29th November.
This is a welcome change from the original migration data wich was set at 1-August-2017.

We at Realtime Register were not planning to migrate on this data anyways, as we are still reviewing the EU GDPR and its impact.

Currently, ICANN is collecting community input regarding the EU GDPR till September this year. In November ICANN will present the results wich will provide more clarity regarding the fact if ICANN is the data controller or not according to the EU GDPR. Furthermore, Registrars expect more clarity at this date regarding the output of personally identifiable data through the public WHOIS.

The EU GDPR will go into effect on 25-May-2018 and will severely impact your business.
A blog post regarding the EU GDPR and how it will affect you as a reseller will follow soon.

ICANN blogged about this migration delay here.