Tucows Guide to the GDPR. March 2018

Transcription

1 Tucows Guide to the GDPR March 2018

2 About This Webinar Who is this webinar for? Resellers of Tucows services Familiar with the domain world and ICANN policy Familiar with our blog posts What are we doing here? General GDPR information How the GDPR will affect Tucows services Things you may want to consider Reseller Tip This webinar is not legal advice. Please work with your own legal counsel to develop a GDPR compliance strategy

3 About This Webinar Following the presentation, we will answer as many questions as we can today If we don't get to your question, we will you an answer We will send out a PDF of the webinar slides and a link to the recording Reseller Tip Have questions? Type them into the Questions tab in the GoToWebinar Control Panel

4 What Is The GDPR? The General Data Protection Regulation (GDPR) lays out rules for how the personal data of people living in the EU should be handled. Enforceable as of May Replaces & expands on the EU s Data Protection Directive Significant fines for non-compliance Applies to businesses worldwide that provide services to EU-locals Reseller Tip Three core concepts in the GDPR: Consent and Control Transparency The Right to Erasure

5 Glossary of Terms GDPR: General Data Protection Regulation Personal Data: Any information relating to an identified or identifiable natural person. Data Subject: A natural person who can be identified by data. Not a legal person (corporation). Data Controller: The entity which determines the purposes and means of the processing of personal data. Data Processor: The entity which which processes personal data on behalf of the controller. Master Services Agreement (MSA): The reseller contract with Tucows All text in quotation marks is from the GDPR

6 Why Should Resellers Care? The GDPR applies to businesses anywhere in the world with clients in the EU Any set of contact info could contain the personal data of an EU-local Tucows is applying the GDPR to everyone Protecting personal data is a good thing Other jurisdictions also have data privacy laws We want to provide the best possible security and personal data control to everyone on our platform Reseller Tip Resellers who focus on rest-of-world clientele could still be using personal data of EU-local individuals

7 Consent And Control The GDPR requires a legal basis for data use: Required in order to fulfill a contract, or Consent to use data beyond the minimum needed Which data elements do we require by contract? Name, Organization, , Country Registry contract may expand this set Other data such as a phone number may be used only if the Data Subject consents Reseller Tip What is the legal basis for data you collect? Which data is by contract, which do you need to get consent for, and which data do you no longer need?

8 Consent And Control Gathering and managing consent Registration process Ongoing domain lifecycle events Registrar transfer Ownership trade Request discloses consent-based data use Option to consent to this data use Review & modify at any time Reseller CP will show GDPR Consent Status and option to send consent page URL Reseller Tip How are you requesting consent for the data you process? Do you have a method for the client to modify their choice, or withdraw consent entirely?

9 What Does This Mean For Whois? Today, contact info for the registrant, administrative, and technical contacts are publicly displayed The GDPR will restrict what data can be displayed in the public Whois It will also restrict which data elements we can collect and share with registries Sample Current Whois Output Registrant Name: EXAMPLE REGISTRANT Registrant Organization: EXAMPLE ORG Registrant Street: 123 EXAMPLE STREET Registrant City: ANYTOWN Registrant State/Province: AP5 Registrant Postal Code: A1A1A16 Registrant Country: AA Registrant Phone: Registrant Phone Ext: Registrant Fax: Registrant

10 What Does This Mean For Whois? Today, contact info for the registrant, administrative, and technical contacts are publicly displayed The GDPR will restrict what data can be displayed in the public Whois It will also restrict which data elements we can collect and share with registries Sample Current Whois Output Registrant Name: Not disclosed Registrant Organization: Not disclosed Registrant Street: Not disclosed Registrant City: Not disclosed Registrant State/Province: Not disclosed Registrant Postal Code: Not disclosed Registrant Country: Not disclosed Registrant Phone: Registrant Phone Ext: 0000 Registrant Fax: Registrant

11 What Is The Future Of Whois? Personal data can no longer be published in the Public Whois unless there is a legal basis Once published, it s no longer secure Our solution is a gated Whois system with restricted access only for legitimate parties Sample Future Whois Output Registrant Name: Not disclosed Registrant Organization: Not disclosed Registrant Street: Not disclosed Registrant City: Not disclosed Registrant State/Province: Not disclosed Registrant Postal Code: Not disclosed Registrant Country: Not disclosed Registrant Phone: Registrant Phone Ext: 0000 Registrant Fax: Registrant GDPR@EXAMPLE.TLD

12 What Is The Future Of Whois? Personal data can no longer be published in the Public Whois unless there is a legal basis Once published, it s no longer secure Our solution is a gated Whois system with restricted access only for legitimate parties Sample Future Whois Output Registrant Name: EXAMPLE REGISTRANT Registrant Organization: EXAMPLE ORG Registrant Street: 123 EXAMPLE STREET Registrant City: ANYTOWN Registrant State/Province: AP5 Registrant Postal Code: A1A1A16 Registrant Country: AA Registrant Phone: Registrant Phone Ext: Registrant Fax: Registrant @EXAMPLE.TLD

13 Do We Still Need Whois Privacy? Future of Whois is uncertain Data may be legally required in public Whois Whois Privacy still has benefits: A placeholder provides a way to contact the registrant Personal data is hidden from view even in the Gated Whois Existing reveal policy remains in place Sample Whois Privacy Output Registrant Name: Contact Privacy Registrant Organization: Contact Privacy Registrant Street: Privacy address Registrant City: Privacy City Registrant State/Province: Privacy State Registrant Postal Code: Privacy Postal Code Registrant Country: Privacy Country Registrant Phone: Registrant Phone Ext: Registrant Fax: Registrant me@contactprivacy.com

14 Transparency Protection of personal data Secure storage and encryption/pseudonymisation Prompt reporting of high-risk data breaches to security authorities Contract updates Reseller Master Services Agreement will be updated to cover data sharing End-user Domain Registration Agreement will explain all data use Reseller Tip Analyze your data security practices and review your end-user agreements to identify changes needed for GDPR compliance

15 The Right To Erasure Article 17 of the GDPR Data Subject can request the erasure of their personal data Controller must comply without undue delay Controller must notify third-parties with whom it shared the data There are exceptions, not all data is subject to the right to be forgotten Contract-based data: NO Consent-based data: YES Reseller Tip Determine which data you collect are subject to the right to erasure, and develop a process to fulfill these requests promptly and completely

16 The Right To Erasure GDPR: It shall be as easy to withdraw as to give consent We will give every data subject a method to give and withdraw consent Withdrawal triggers a review and erasure process on our side Data held by contract will remain on file until no longer required by law Reseller Tip Determine which data you collect contractually, and work with your legal team to confirm the data retention terms

17 What Should Resellers Do Next? Work with your own legal counsel to evaluate GDPR Compliance needs Analyze your data security practices, find and fix weak points Review the data you collect and process to determine the legal basis What changes to your own contracts are needed? How are you requesting consent for other data use? Determine which data you hold are subject to the right to erasure Put a process in place to fulfill those requests promptly Determine data retention periods for contract-based data use

18 What Tucows Changes Will Impact Resellers? Biggest changes: Gated Whois system Consent Management process including option for URL request Reseller and End-user contract updates Subscribe to our GDPR Newsletter and watch our blog for updates

19 Resources GDPR Resource Page: OpenSRS ENOM Blog posts: OpenSRS ENOM Master Services Agreement: OpenSRS ENOM Domain Registration Agreement: OpenSRS ENOM

20