MENU
  • Enom.com
  • Resellers

Enom Blog

Featured
Category

  • GDPR Checklist for Enom Resellers

    May 17, 2018

    Advice, Announcement, Featured, GDPR, Uncategorized

     Like

    Views: 4582

    Any time there’s a dramatic shift in our industry, we focus on minimizing the impact on our resellers and providing you as much information and assistance as possible. Admittedly, our GDPR communications work has proven fairly challenging, in part because we’ve simply never seen a shift quite as dramatic as that prompted by the GDPR. While we wanted to equip our resellers with specifics about our implementation plan and a concrete list of action-items right from the get-go, developing long-term solutions that both achieved GDPR compliance and established processes in which registries, registrars, and resellers can play their specific, essential roles required considerable collaborative efforts from players across our industry.

    There’s still much work to be done, but today we’re happy to be able to offer a concrete list of GDPR action-items for Enom Resellers and helpful resources in the form of flowcharts, example landing pages, and FAQs. We’re even happier to say that the to-do list is a short one which will likely require minimal work on your end.

    Having said that, we must remind you that legal counsel is an essential part of any comprehensive GDPR compliance strategy. This checklist is not legal advice, and ensuring its completion by no means guarantees your compliance with the GDPR. Speak with a lawyer who is familiar with your business and equipped to judge whether your internal practices achieve compliance.

    Reseller Action-Items

    Most of these items will necessitate adjustments on your end. You may determine that some do not require action on your part, but all are significant and important for our clients to understand.

    1. Make Sure You’re Familiar with Our Newly Introduced Consent Management Process

    Moving forward, Enom will reach out to end-users to request their consent to process certain pieces of personal information. This “Consent Management” flow involves the sending of a request email which contains a link to the registrant’s unique Data use consent settings page. This Data Use Consent Settings page serves as the registrant’s means to view their settings, manage their settings, and withdraw consent, should they choose to do so. It also contains a link to the Data use information page, which provides more information about how personal data is processed.

    To the registrant, it’s a straightforward experience that makes clear Enom’s relationship with their Registration Service Provider (Reseller). We recommend you take a look at these samples, so you’re aware of what this process will involve for your customers:

    Consent management sample flow – new registration
    Consent management sample flow – consent choice change

    Resellers will be able to view the GDPR consent status for each domain they have under management from the Domain Control Panel, within their Enom reseller account. If you’d like more information on why we require the end-user’s consent to process certain personal data, please check out our Consent blog post.

    2. Understand How to Provide Your Customers Access to Their Data Consent Settings Page

    According to the GDPR, “It shall be as easy to withdraw as to give consent.” With this in mind, we’ve provided our resellers two straightforward options to email a registrant the URL for the registrant’s Data Use Consent Settings page upon request:

    • Option 1: Via the API using the SendConsentEmail command
      Resellers can use this command to integrate into their own end-user portal an option for users to request that the Data Use Consent Settings page URL be sent to the registrant email.
    • Option 2: Via the soon-to-be-available “Send Consent Email” option in your Enom reseller account.
      Resellers can use this new button in the “Domain Control Panel” section of your Enom reseller account to send out the Data Use Consent Settings page URL to the registrant email listed for any domain in their account.

    Please note: both of these options will be available as of Monday, May 28, 2018.

    3. Ensure You’re Prepared for Our Updated Domain Transfer Process

    Once the public Whois “goes dark” in the days leading up to May 25, 2018, Enom will begin using a new process for domain transfers. The end result will be a process that creates a more streamlined experience for domain owners, while continuing to be secure against domain theft. Moving forward, when an inbound registrar transfer is ordered, we will submit the transfer directly to the registry instead of waiting for the Form of Authorization to be completed.

    You can check out our blog for the full details, but here’s a snapshot of the updated process:

    4. Enom Is Moving to a Gated Whois System

    For the full scoop, refer back to our Whois Changes blog post; for today, just keep in mind that after that go-live date, most public whois servers will cease the publication of personal data, and providers will start offering a “gated” or “tiered access” Whois system. Enom resellers don’t need to make any changes — your own clients’ data will continue to appear in your Enom reseller account, and we’ll take care of making sure the public Whois output is fully compliant with privacy regulations, so you’re good to go.

    These changes are also summarized in this quick PDF.

    5. Our Updated Reseller Agreement Now Requires That Resellers Process Data in a GDPR-Compliant Manner

    Hopefully, you’re well on your way to compliance with the GDPR. Enom has updated our Reseller Agreement to include information about the consent management process and the addition of a Data Processing Addendum (DPA), with EU standard contractual clauses to allow data transfer from the EU to non-EU jurisdictions. We encourage you to familiarize yourself with all the recent GDPR-related changes we’ve made to our Reseller Agreement by taking a look the updated version.

    6. We’ve Updated Our Agreement with Registrants

    Our Domain Registration Agreement serves as the service contract between Enom and the domain owner (registrant). We don’t expect the GDPR-related updates to this agreement to be reseller-impacting, these changes primarily relate to the registrant’s consent management flow and the data retention and erasure policy. Keep in mind that all resellers need to display this updated agreement to customers as part of the domain registration process.

    Reseller Resources

    All important Enom resources relating to the GDPR can be found in our central GDPR knowledge base article, but for convenience, we’ve also listed them below. We hope the following resources help our reseller partners assist your clients with GDPR-related changes:

    Overview

    Our GDPR Webinar
    Central GDPR knowledge base article and FAQ

    Specific Platform & Process Changes

    Consent Management

    Consent management sample flow – consent choice change
    Consent management sample flow – new registration
    Consent management FAQ

    End-user consent request emails – The means by which we send the Data Use Consent Settings page URL (see below) to the registrant.
    Data use consent settings pages – The location from which a registrant can set, view, and update their consent preferences or revoke consent.

    Domain Transfers

    Transfer process changes infographic – a before and after GDPR comparison

    Whois Changes

    Whois Changes Overview PDF
    Whois Changes FAQ

    API Changes

    A new SendConsentEmail command has been introduced.

    Contract Changes

    Updated Reseller Agreement
    Updated Domain Registration Agreement
    Data Processing Addendum

    And there you have it. We appreciate that for those resellers affected by the GDPR, achieving compliance has involved a great deal of internal work, in addition to that required to accommodate the changes Enom is making to our platform. And while we’ve made every effort to keep this Reseller Checklist short and easy-to-implement, we know, as members of that same complex registry-registrar-reseller channel in which you operate, that small changes made by one player can have a big impact on others. We view our GDPR implementation work as essential to ensuring that the Enom platform evolves to meet the long-term needs of our resellers and the demands of a highly interconnected internet ecosystem. Greater control over one’s personal data is a good thing, and we’re happy to be able to extend to all users on our platform the rights and protections outlined in the GDPR.

    Read More

  • GDPR Q&A for Domain Resellers

    March 27, 2018

    Featured, GDPR, Industry Insight

     Like

    Views: 8147

    We had a great turnout for our GDPR webinar, and attendees asked many intelligent and insightful questions about the regulation and our implementation of its requirements. We’ve made available a PDF of the full Q&A session, but if you prefer a shorter read, here are some of the highlights:

    1. What is the allowed time limit for the changes to take place on the side of the reseller?

    First off, if you collect and process the data of EU-locals, or have the potential to, you need to ensure you are doing so in a GDPR-compliant manner by May 25, 2018. Otherwise, you are putting your business at risk. In addition, our agreements with resellers will be updated to require that resellers process data in a GDPR-compliant manner. As for changes that must be made on the reseller’s side which specifically relate to Tucows’ domain registration processes and modifications to our platforms, there are no mandatory changes you need to make, but there are changes on our end that you need to understand and adjust for if you feel it necessary.

    One such change is our new Whois system. Another is the introduction of the consent management page for end users, the details of which we address in the question below. On that note, we are not expecting to have consent for all the millions of domains on our platform from day one (May 25), but by requesting consent at the time of domain registration, renewal, or transfer, we expect that the majority of the registrants in our system will have indicated their consent selection within the first year of this requirement being active. You should consult with your lawyer to determine how to handle consent collection and overall GDPR compliance for your own business.

    2. What happens to pre-existing data, and do we need to send the consent management landing page link to all existing users?

    Data that is used to perform the domain registration contract will be maintained in our system for as long as is legally required. For pre-existing data that now requires consent, we will request that consent on a timeline that has been deemed appropriate by our Legal team. We will send the consent management landing page link to the end user at three potential points in the domain lifecycle: when new registration is created, when a domain transfers into our system, or when a domain is renewed. Additionally, resellers may send out the link at their discretion via the option that will be in the control panel or the new API call that we will be offering.

    3. Compliance sounds as simple as gaining consent from clients. If their consent has been given, then I’m covered under the GDPR, right?

    It’s not that simple, in part because there are clearly defined limitations around what constitutes legitimate consent, all of which are outlined in our Consent blog post. Furthermore, the GDPR’s requirements go beyond consent to include things like data minimization, secure processing and storage of data, and more. I can say that from the domain services perspective, we’ve got things covered. This compliance will be achieved through a combination of contract-based and consent-based data processing and data minimization. If you are collecting and storing personal data for your own purposes, beyond what is required by us, we recommend that you talk to a lawyer who is familiar with the GDPR to fully assess the risk that you’re taking by not updating your own processes to comply with the new law.

    4. How will domain transfers work moving forward? If a reseller cannot see who owns a domain how can they initiate its transfer with confidence that the request is legitimate?

    As mentioned in the question, the problem with continuing to use the transfer process as it stands today is that the gaining registrar would not reliably know where to send the initial Form of Authorization (FOA), since the registrant email will no longer be publicly available to them. To address this issue, the Registrar and Registry Stakeholder Groups’ joint TechOps (Technical Operations) sub-group has sent a letter to ICANN, proposing changes to the transfer process. They suggest that the initial Form of Authorization should be optional, and instead, possession of the transfer authorization EPP code will be required to initiate the transfer. Then the current registrar, which does know the owner’s email, would send a mandatory confirmation FOA (this FOA is currently optional), and the transfer would only proceed if the domain owner completes the FOA sent by the current registrar within 5 days.

    The letter in which this change was proposed was sent to ICANN very recently, so we don’t yet know how ICANN will respond. Changing the transfer process is not a simple task, as it’s a consensus-based policy with a specific protocol that must be followed to approve any modifications. Each registrar will have development work to do once the course of action has been determined, but the domain community is united in working towards a timely and viable solution.

    5. How does the law address proving identity? As an example: I can create a domain using the registrant name “Donald Duck”. If another Donald Duck discovers this and asks for the info to be removed, what proof must he provide to verify that he is, in fact, the same Donald Duck that registered the domain?

    The choice to give consent, and the related ability to request erasure of one’s personal data, is all tied to a user profile which consists of a unique combination of the data elements we require contractually: name, organization, email and country. If two registrants share the same name but have a different organization, email, and/or country, they are considered to be two separate people, with distinct user profiles in our system. If a request for erasure comes in from someone who does not match the full contact data set associated with a domain, but that someone still claims to be the registrant and data subject for that domain, our Compliance team would work to address the issue.

    6. The current system in place requires law enforcement to have warrants or legal grounds in order for them to obtain the Whois information for a privacy-protected domain. If they get access to the gated Whois, does this mean that they can access this information without having to provide proof of legal grounds to get the data?

    Access to the gated Whois will only reveal information which is currently (prior to May 25 2018) public. It will not reveal the Whois information for privacy-protected domains. In fact, the Whois output for privacy-protected domains will be the same in both the public and gated Whois, and we will continue to require a court order or other legal documentation for access to this information, as we do today.

    7. Can we run our own privacy service, i.e. have our information show in Whois?

    This is a complex decision for a reseller to make, for a few reasons. There are requirements in our Reseller Agreements around what privacy or proxy services may be used for domains on our platform. Additionally, ICANN has requirements for any privacy or proxy provider and is working now on an accreditation process for providers of those services. We encourage any reseller to review their options with the help of their legal counsel and the operative reseller agreement before beginning to offer such a service.

    8. When will you publish the final updates being made to your contracts?

    While we appreciate that uncertainty around these changes is difficult, we hope that an industry-standard amendment will make things easier for both our resellers and the industry as a whole. At the same time, we know that we can’t wait too long before sharing those changes with you. If the industry-wide amendment is not ready for distribution by the end of March, then in early April, we will release our own contract changes to our partners.

    9. Can a non-EU domain registrant waive the protections and keep their data public?

    Not at this time. We believe that providing such an option puts data at risk and exposes it unnecessarily, but this is currently the subject of discussions within ICANN and with various European DPAs, and we will reevaluate our implementation from time to time in light of further policy developments and guidance received from government authorities.

    10. How will the fines for non-compliance be monitored and collected, and who will be enforcing them against US companies?

    Each EU country, and in some countries each region, has a Data Protection Authority (DPA) who enforces the GDPR. If you have a presence in an EU country, that is likely the DPA with whom you would interact. If you do not, the DPA of the country where the violation occurred would probably be the enforcer. The enforcement process will rely on reporting, meaning the EU has not indicated that it plans to conduct audits, but instead, will investigate potential GDPR violations as they are brought to the DPAs’ attention.

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

  • GDPR-Related Contract Changes

    March 5, 2018

    Announcement, Featured, GDPR

     Like

    Views: 8034

    If you’re reading this, chances are you have questions about the GDPR and how Enom is preparing. We’ve got answers! Sign up for our GDPR webinar on March 7 or March 8 to learn from one of our GDPR experts.

    The GDPR can be approached in terms of three fundamental concepts:

    1. Consent and control

    2. The Right to be forgotten

    3. Transparency

    We’ve talked about two of these concepts in past blog posts, and today we’ll look at the third: Transparency.

    Transparency is one of the core principles in the GDPR, emphasized in Article 5 of the policy, which states that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject,” and must be collected for “specified, explicit and legitimate purposes.” In short, the data subject has to be kept informed as to what data is being collected and how that data is being used.

    One of the main ways that we inform our clients about how their data is being used is through our contracts, and we are now ready to share more information about the upcoming changes to our reseller and end-user service agreements, which are being made as part of our GDPR implementation efforts.  

    Before we dive into the specifics, I want to emphasize again how important it is to read the GDPR for yourself, and to engage legal counsel who is competent to support your business through the process of coming into compliance with the GDPR.

    As we work in partnership with our clients to ensure that we accept, collect, process, and share personal data in a GDPR-compliant manner, there will be changes to our contracts, in the form of either a stand-alone Data Processing Agreement or an Addendum to the Reseller Agreement and Domain Registration Agreement. Regardless of whether we take the stand-alone-agreement or addendum route, there are a few things that you need to be aware of as a reseller.

    Changes to Our Contracts with Registries

    As a registrar, we have a Registry/Registrar Agreement in place with every registry with which we are accredited. We expect that many of these Agreements will be updated by the affected registries to be compliant with the GDPR. To this point, however, we’ve seen inconsistent approaches from the European ccTLD registries, and no GDPR-related contract updates from gTLD registries. We are working together with other industry groups to standardize a model for what these contractual changes will look like; without a standardized approach, we would have to negotiate individual amendments with each registry, a difficult undertaking to complete by May 25, 2018, given the number of registries with which we partner.

    Moving Toward an Industry-Standard Approach to Contracts

    Given the changes we expect to see from registries, changes we expect registrars will make, and changes that we believe will be recommended by ICANN, we are hopeful that industry-standards will develop in the coming weeks which we can incorporate in our changes to our own agreements. These efforts are ongoing, but once a final decision about exact language has been made, we will update you. While we appreciate that uncertainty around these changes is difficult, we hope that an industry-standard amendment will make things easier for both our resellers and the industry as a whole. At the same time, we know that we can’t wait too long before sharing those changes with you. If the industry-wide amendment is not ready for distribution by the end of March, then in early April we will have our own contract changes out to our partners.

    Changes to Our Contract with Reseller Partners

    Our amendments to our reseller agreement will outline the obligations for both ourselves and our clients that are necessary to ensure that every user on our platform is fully protected in a way that aligns with the GDPR. We expect that contract changes will track certain standardized language that has been approved by the European Commission in years past, such as this European Commission decision, which provides some standardized contract language for data sharing.

    Here are some of the changes that you can expect to see in our Reseller Agreement which governs the services we provide to resellers. These updated requirements will apply both to us and to our resellers:

    Data Storage
    • All personal data must be stored securely and handled with appropriate protections
    • Any subcontractors who are allowed to access data also must have adequate security in place
    Data Sharing
    • Any data sharing must be done in accordance with the GDPR  
    • Data that is shared must be maintained securely by both the sending and the receiving parties
    • Any data exporter will be liable for damages suffered by the data subject for any violations of the GDPR
    Disclosure
    • The data subject will be informed about the collection and sharing of their personal data in a GDPR-compliant manner
    • All contracted parties (including Tucows and the reseller partner) agree to work cooperatively with Data Protection Authorities if questions arise about the use and sharing of personal data

    Changes to Our Contract with Registrants (End-Users)

    For our Domain Registration Agreement, which governs our relationship with the domain registrant, changes will include:

    • Clear explanation of which data elements are required by contract — we require the registrant’s first and last name, organization name (if provided), email address, and country; Registry agreements may extend this contractual data set.
    • Confirmation that, if a third-party’s contact information is used as the domain’s administrative, billing, or technical contact, the registrant will have the appropriate contract and/or consent with that third-party to satisfy the GDPR’s requirements around data use

    Moving forward

    Rest assured, there will be no major surprises found in the changes to the Master Services Agreement or Domain Registration Agreement, provided your business is GDPR compliant. As always, we’re taking care of the heavy lifting to minimize the effort required on your end. We hope this allows you to remain focused on your day-to-day business and whatever internal changes you may need to make to come into compliance with the GDPR. Take a look at the European Commission’s standard contract text, and keep an eye out for our future updates. And don’t forget to sign up for our GDPR webinar, where we’ll share more details about exactly how this new regulation is affecting the Enom domain service offering. Hope to see you there!

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

  • The GDPR’s Right to be Forgotten

    January 18, 2018

    Featured, GDPR, Industry Insight

     Like

    Views: 8449

    New Year’s resolutions aren’t for everyone, but I think most of us like the idea of a restart, the sense that slates can be wiped clean (to an extent), and that a departure from one’s current path is possible. This notion of a fresh start takes on a higher level of significance in the digital era. These days, many of us have a substantial online presence that lives both in public-facing platforms like Facebook or Twitter and in the private databases of our service providers, and I think we all feel entitled to some level of control over our personal digital histories. The right to erasure, as outlined in the GDPR, is meant to give individuals this control.

    What is the right to be forgotten?

    Article 17 of the GDPR outlines the data subject’s right to erasure, also known as the right to be forgotten. It gives each data subject the right to request that a controller erase the subject’s personal data. It also requires the controller to comply with any such request “without undue delay” as long as one of six specific legal grounds applies. On top of this, it states that in cases where the controller has made personal data public, the controller must reach out to any other controller who is processing the data and inform them about the request for erasure so that the appropriate steps can be taken. Finally, Article 17 lays out several exceptions where the right to erasure does not apply. These include instances when processing of data is necessary for “exercising the right of freedom of expression and information,” for “compliance with a legal obligation,” or for “the establishment, exercise or defense of legal claims.”

    Legal grounds for processing data

    If you think back to our post about obtaining consent, you’ll recall that the GDPR gives several legal bases for using personal data. The two that most commonly apply to the domain registration world are when the processing is necessary for the fulfillment of a contract, and when the data subject consents to the processing. Our Registration Agreement outlines exactly what data is required in order to register a domain, so the data elements included there are what are required to fulfill the contract. Any extra data that someone chooses to provide, such as a phone number to be used as a backup authentication method, would be processed under the legal basis of consent.

    What data falls under the right to erasure?

    “The right to be forgotten” is not as straightforward as the phrase’s catchy nature might imply. While a data subject can place a request to a controller to have their data erased, the request is only legitimate under certain legal grounds. I’ll lay these out and then narrow our focus to what they mean for Enom (and very likely, for you!).

    These legal grounds include:

    • The data is no longer needed for the purpose for which it was originally collected,
    • The processing is based on consent and the data subject withdraws that consent,
    • The data subject exercises their right to object under Article 21 of the GDPR,
    • Processing is not lawful (there was no legal basis in the first place),
    • The controller is subject to a legal obligation that requires the erasure of the data,
    • Some things related to children’s rights, which don’t apply since we don’t sell domains to children.

    For Enom’s purposes, data that is processed based on consent is subject to the right to erasure — the data subject can withdraw their consent, the controller must erase this data, and, if the data has been made public, notify other controllers or processors to do so as well. Enom also uses data that is processed based on a contract and is not subject to the right to erasure; a request to erase would not apply to those data elements. In these cases, erasing the data would require terminating the contract. Even then, there are other legal obligations around data retention that may come into play, such as regional laws that require data to be stored for certain time periods.

    How can a person exercise their right to erasure?

    Article 7 of the GDPR lays out how consent works as a legal basis for data processing, and also requires that consent may be withdrawn at any time, specifically stating that “It shall be as easy to withdraw as to give consent.” We’re fulfilling this requirement by ensuring that the consent management landing page remains available and easily accessible to each data subject to whom we provide services. On this page, a subject can view the existing consent settings and also change or withdraw consent. A withdrawal request will trigger a process on our side to find and delete any data that is held based on consent. Data that is required by contract, however, would remain intact. This gives the data subject complete control over the use of their personal data, while also ensuring that the domain registration itself is not interrupted unnecessarily.

    Looking ahead

    The opportunity for a fresh start provided by the GDPR’s right to erasure is a year-round thing, not confined to the first of January. But now, with the glitter from New Year’s parties still stuck in our carpets, it might be a good time to think about how you’re preparing to provide this option to your clients. In our own development process, our mantra has been “it must be as easy to withdraw consent as it is to give it, and when erasure is requested, it must be completed ‘without undue delay’.” Work with your legal team to determine which of the data elements you collect are subject to the right to be forgotten, and develop a process to fulfill those requests promptly and completely. Giving your clients easy access to a “fresh start” will certainly require some development work on your end, but it’s an opportunity to employ some great UX and reassure them that you take the principles of transparency and privacy seriously.

    If you found this post helpful, check out our GDPR page. We also encourage you to sign up for our GDPR newsletter so you don’t miss a thing!

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

  • GDPR Resources: Consent

    January 4, 2018

    Featured, GDPR, Industry Insight

     Like

    Views: 7426

    Business woman considers the GDPR in front of parliament building in Brussels

    The GDPR’s requirements around consent for data processing are complex, and we aren’t the only ones thinking about what this means for our business or how to best comply with the regulation. Below, we’ve shared a few links that give some added context around consent as it relates to the GDPR.

    How the GDPR will disrupt Google and Facebook

    The title says it all. This article speculates on how Google’s and Facebook’s current consent request processes might have to change in order to become compliant with the GDPR’s consent and data use requirements. It lays out a GDPR risk scale, examines where different consent methods fall on this scale, and then evaluates personal data use by Facebook and Google to estimate where those different data uses rank and what changes the tech giants may need to make in order to continue processing this data in a post-GDPR world. The conclusion is that, while much of this personal data processing can be done in a way that is GDPR-compliant, the requirement to obtain consent will disrupt the ability to use data for marketing and advertising purposes. The extent to which this impact will be visible to the average user remains to be seen.

    WP29 Guidelines on Consent under Regulation 2016/679

    In our GDPR Resources: Whois Changes post, we looked at a letter that the Article 29 Working Party (“WP29”) sent to ICANN; here’s another great publication from the same advisory body, offering guidelines on how consent can be used as the legal basis for data processing under the GDPR. WP29’s interpretation of the GDPR aligns with our own understanding of the consent requirements and serves as a helpful resource for anyone working to create their own consent request processes.

    ICANN’s GDPR legal analysis

    The second and third memos from Hamilton Advokatbyrå have been published, following the first memo which we discussed in a previous GDPR Resources post. The most recent memo focuses on how the Whois system would need to change to be compliant with the GDPR, and refers to a conclusion drawn in the first memo: although consent would be a possible legal basis for publication of Whois information, it would not result in a fully accessible Whois like we have today, since data subjects will be able to withdraw consent, preventing any “extra” data (which isn’t necessary to providing domain registration services) from being published. Anyone keeping up with GDPR policy will want to keep a close eye on these Hamilton memos and the domain industry’s responses to them.

    We’re happy to see that many of the assessments and practices being discussed by other key players in the industry are in line with our own plans for a gated Whois system and revamping of our consent request processes. We want to support our resellers through this transition by providing useful resources and maintaining a high level of transparency about our own GDPR implementation plans. Sign up for GDPR updates to make sure you’re kept in the loop!

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

« Previous 1 2 3 … 6 Next »

FEATURED POSTS

  • Colleagues review ICANN's temporary specification requirements.

    What Domain Resellers Should Know About ICANN’s Temporary Specification

    September 18, 2018

  • keys on surface.

    Enom’s Tiered Access Directory (gated Whois)

    June 19, 2018

  • Why Choose an EV SSL Certificate?

    June 13, 2018

  • What you should know about ICANN’s May 25th Legal Action

    May 29, 2018

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support
Report Abuse
Help Center
Contact Us

 Resources
WHOIS Lookup
Maintenance Alerts
Developers
Products & Services
Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2019 Enom Blog |