Eight Minute Expert GDPR. Login. Password

Transcription

1 Eight Minute Expert GDPR Login Password

2 MIN1 What is the GDPR? The General Data Protection Regulation is a new regulation by the EU that will replace the current Data Protection Directive of It is intended to enhance and unify the protection of personal information for all individuals living in EU member states. It is due to take effect across all EU member states from 25 May 2018 and will give individuals more control over what organisations can do with their data. Whilst it is an EU directive, the impact is global as any organisation who handles data belonging to EU residents or organisations needs to be compliant with the regulation.

3 MIN2 Terms and Terminology: GDPR: General Data Protection Regulation Data Subject: The person about whom the information relates Subject Access Request: a written, signed request from an individual to see information held on them, ask for the data to be corrected or deleted, or requesting information on how the data is held and why Personal Data: Any information relating to an identifiable individual Data Processing: Means obtaining, recording or holding the information or carrying out any operation on the information Data Controller: Is the person or organisation who determines the purposes for which and the manner in which any personal data are, or are to be, processed Data Processor: Any person or organisation who processes data on behalf of the data controller

4 MIN3 What are the main changes? GDPR now applies to anyone who offers services, markets to or collects details of EU citizens irrespective of where they are in the world Liability extended to data controller AND data processor Consent for the storage and use of personal information must now be freely given, specific, informed and unambiguous If personal information is lost or disclosed with no authorisation, companies must notify the relevant data protection authority, such as the Information Commissioner s Office here in the United Kingdom, about a Data Breach People now have the right to be forgotten meaning that data held by any organisation about an individual must be deleted if they withdraw their consent or object to the way in which the data is handled (only where there is no compelling reason to continue the data processing) All Data Protection Agencies can enforce the GDPR regardless of where the business is based Fines are up to 20 million or 4% of the annual global group turnover

5 MIN4 How information flows in the domain industry RESELLERS REGISTRY REGISTRAR CONTRACT INTERNET USERS EBERO ESCROW AGENT REGISTRARS ESCROW AGENT REGISTRIES REGISTRAR WHOIS DATA WHOIS CUSTOMERS REGISTRANT WHOIS DATA REGISTRAR CONTRACT ICANN REGISTRY CONTRACT

6 MIN5 Whois Data affected by GDPR DOMAIN INFORMATION REGISTRANT CONTACT ADMINISTRATIVE CONTACT TECHNICAL CONTACT

7 MIN6 How GDPR affects Domain Name Registries Data transfers to Data Escrow Agents, EBERO, ICANN, as required by ICANN and Registry Service Providers where instructed will need to comply with the requirements of the GDPR The data published on Whois will need to be minimised to only what is necessary A Lawful bases for processing and collecting data should be established. The lawful bases under the GDPR are: consent, performance of contract with the individual, a legal obligation, vital interests, interest of the public, your legitimate interests. As registries collect the data from Registrars cannot rely on consent to process data Information collected in the first instance needs to be minimised to what is necessary for the registration of the domain name A Registry is a data controller Zone files that can be accessed may contain personal data A Registry will have to process data subject access requests

8 MIN7 How GDPR affects Domain Name Registrars: Data Transfers to Data Escrow Agents, Registry Operators, ICANN will need to comply with GDPR requirements Data published on Whois will need to be minimised to what is necessary and kept up to date The information collected by Registrars must be minimised to only what is necessary for the registration of the domain name Even though in many occasions registrars collect the data from the registrants (data subjects) and could rely on consent to process the registrant s data, the performance of the contract (i.e. the registration of the domain name) would be a more reliable lawful bases The data published on Whois will need to be minimised to what is necessary A Registrar will have to process data subject access requests A Registrar is a data controller

9 MIN8 How this affects Domain Name Registrants: Registrants, where they are natural persons, under the GDPR, have the right to Ask what information the company holds about them and why Ask how to gain access to the information Request to change the information, where the data is incorrect or incomplete Object to or limit the processing of data carried out Be informed of how the company is meeting its data protection obligations Be informed of any data breaches which may impact them Ask to have their data deleted (under certain circumstances)