You’ve probably heard mention of the GDPR, and likely have questions about its scope, implications and potential effects, both on your own business, and the domain industry as a whole.
Last updated: March 6, 2018
The European Union’s General Data Protection Regulation (GDPR) lays out a new set of rules for how the personal data of people living within the EU (“EU-local individuals”) should be handled. The policy comes into full effect on May 25, 2018, and we recommend that you start preparing now by speaking with a lawyer and familiarizing yourself with the information we’ve provided here.
Though it’s complex and far-reaching, at a high level, the GDPR can be understood in terms of three fundamental concepts:
Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business collecting or processing personal data must not only obtain consent to do
The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. In the event of a breach, anyone whose information may have been exposed must be notified as soon as possible, and that notice should include an explanation of what happened, what’s being done to fix it, and what those affected should do to protect themselves. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy.
Under these new rules, EU-local individuals have the right to revoke consent for a service provider to use their data. When this happens, the provider must essentially erase all record of the individual, giving them a fresh start. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims.
The GDPR helps protect privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance.
The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states.
The GDPR impacts all Enom clients, as the changes we are making in response to the GDPR will be applied platform-wide. It also affects you if your business processes, or has the potential to process, the personal data of individuals living in the EU, regardless of whether you actively sell services in the EU. You now need to ensure that you’re obtaining permission from these customers to use their personal
While the rules outlined in the GDPR apply only to EU-local individuals, we plan to adopt a broad, one-size-fits-all approach* to implementation, and changes to how data is collected and handled may happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations. Rest assured, we are doing everything we can to minimize disruption to our domain management and registration processes for both registrants and resellers.
In designing our approach to GDPR compliance, we’re keeping two things in mind: our need to operate within the bounds of legal requirements, and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end-user.
We’d also like to take a moment to reinforce this point: Tucows (our parent company) does not share personal data beyond what’s needed to provide the service that the client ordered. We have never sold our clients’ personal information, and we certainly aren’t going to start now.
Here’s a high-level look at how we’ve broken down the GDPR and the steps we are taking to achieve compliance by May 25, 2018. Further below, you’ll find resources that provide greater context and additional information on specific topics.
Enom will implement a new “gated Whois” system. Under this new system:
This switch to a gated Whois is being made in an effort to reconcile our GDPR-imposed restrictions with our ongoing obligations as an accredited registrar. As of May 25, 2018, registrant information—name, organization, address, phone number, and email—will be considered personal data that can no longer be published in the public Whois. However, we feel authenticated access to this information, in a specific and limited manner, must be provided to those with legitimate reasons to request it. A gated Whois system will allow for this, while also ensuring that private information remains guarded
You can view a snapshot of what these changes will look like or, for more context, you can read our full Whois Changes post. We've also curated a list of resources that provide helpful context and insight into how other key players are thinking about the future of Whois.
Regardless of any changes to the Whois system, Whois privacy will remain a valuable service to registrants worldwide. Even when the public Whois “goes dark”, it is certain that there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data may no longer be the entire public, it will still be sizable. This is where Whois privacy comes in—if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as a part of GDPR data protection. In addition, the personal data associated with a domain that is protected by Whois privacy will not be shared with registries.
We continue to evaluate our plans; at this point, we can say that once the GDPR is in effect, we’ll introduce at least two new consent-related processes:
We’ll begin the practice of sending every new domain owner a consent request once their initial domain registration request has been processed. Here we will disclose all the uses of personal data that are required by
Once the initial consent is granted, each domain owner will be given access to a consent management page where they may review and modify their consent choices on an ongoing basis, or revoke their consent at any time.
We are still finalizing the specific workflows that we will use to obtain consent from our registrants, not to mention our resellers. Whatever method(s) we do choose will:
Any data that must be processed in order to register a domain, or provide any other type of service, will be covered under
Certain registries require additional information in order to complete domain registrations, and in these cases, we will include in our contract a point about processing those additional pieces of registrant data.
We will request consent from the data subject when:
*Previously, we had discussed plans to apply our internal, GDPR-related process changes only to EU-locals. We have since changed our approach and now plan to apply these changes platform-wide.