Getting GDPR-ready

March 1, 2018

It’s the acronym on the edge of everyone’s lips these days; GDPR. The General Data Protection Regulation is set to arrive during May 2018 and is being discussed rapidly across the country as businesses prepare to comply or suffer penalties. It forms one part of the larger puzzle, including the ePrivacy directive, as the EU Commission aligns policies on personal privacy and data protection across the continent.

As the operator of Top-Level Domain registries (TLDs) handling data, complying with the law and industry best practices is imperative. The biggest implication is for the WHOIS look up service that allows anyone to check up on who is (geddit?) the person responsible for any given internet domain name. What happens when laws change, causing a divergence from long-established industry policy set by ICANN? The short-term approach is a temporary ‘layered access’ solution while ICANN teams work on long-term policies, which may not arrive in time for compliance in May.

In terms of the GDPR, pretty much all country code domain registries have been implementing a compliance programme over the past year. The most visible aspect of that to the outside world will be a reduction in the data fields which are publicly available on the WHOIS. Responsible registries are still committed to provision of information to rights holders and law enforcement (in GDPR terms, they have a legitimate right to access information where necessary to investigate abuse and criminal behaviours), but the practical aspects and additional work created are certainly a concern.

Of course, GDPR applies to all businesses in the EU, and not just TLD registry operators. It requires a thoughtful approach and analysis of all the personal data collected, stored and processed by any organisation. An example: our HR team helpfully include a candidate CV when sending a meeting request to attend an interview. However, that CV is then stored in the company’s Microsoft Outlook software. This, in turn, is backed up in multiple data centres, backed up as part of our disaster recovery and business continuity processes, and archived off site. Without a formal policy on data retention and deletion, that candidate’s CV is going to be stored forever. In the words of the artist formerly known as Prince, that’s a mighty long time. And not very GDPR compliant.

In addition to the financial penalties for non-compliance with GDPR (20 million Euros or 4% of global turnover, whichever is higher), what is more troubling to me as the company’s General Counsel and Data Protection Officer is conducting business in a way that is openly in breach of the Law. Hence the publication of personal data in the WHOIS look up service in a manner that is excessive and disproportionate, and certainly not consented to by domain name registrants, is very worrying.

The good news is that plenty of models for WHOIS exist already that comply with GDPR amongst the community of country code TLDs, who are not bound by ICANN policies for WHOIS. This is mainly because WHOIS policies interlink seamlessly with other related policies which allow access to data to persons with a legitimate need for it, such as trading standards investigators, and also to a registry’s policies for data accuracy, abuse prevention, and dealing with criminal behaviours. WHOIS can’t be looked at in isolation; it’s complicated, isn’t it?

At Nominet, we’ve opted for a pragmatic, light-touch approach to making our .UK processes GDPR compliant that we’ve proposed today. It’s a challenge that can’t be looked at in isolation, so we’re monitoring the approaches proposed by the wider internet community and we’ve announced some changes to our Registrar Agreement and opened a comment period to hear views on our proposals. You can find out more about our thinking and share your views with us here.