General Data Protection Regulation
You may or may not have heard about the “GDPR,” but on May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) comes into full effect, imposing a new set of rules for how the personal data of EU citizens should be collected and handled. This regulation will help protect individual privacy in the digital age and will impact your business (if you have EU customers or operate out of the EU) and the domain industry as a whole.
It’s important to get started now so you’re able to fully understand the implications the GDPR could have upon your business, and plan effectively to meet the updated requirements. This should involve a talk with your lawyer(s). Though we’re making an effort to supply resources and context, the information we’re providing should not be considered legal advice. Seeking professional, legal counsel from someone who is familiar with your specific situation is critical. We encourage you to watch this page for updates and take a look at the resources below. You can continue reading for more information on how what we’re doing to prepare.
ResourcesEUGDPR.orgGDPR (full policy PDF)
The GDPR impacts you if you have EU customers or operate out of the EU. You now need to ensure that you’re obtaining permission from these customers to use their personal data, and meeting the updated requirements surrounding its handling. Before the GDPR comes into effect in May 2018, you’ll want to make sure you’re compliant. We recommend you get started now by talking to your lawyer(s) about what this means for your business, specifically. While the rules outlined in the GDPR apply only to EU citizens, changes to how data is collected and handled may happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations.
“Data privacy by design, data privacy by default.” You may have heard this phrase recently, on Twitter or in blog posts, but where does it come from? What does it really mean?
The European Union’s General Data Protection Regulation (“GDPR”), coming into effect in May 2018, lays out a new set of rules for how the personal data of EU citizens should be handled. It sets out the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. The GDPR is complex and far-reaching.
Data privacy by design, data privacy by default
How many times have you bought a concert ticket online or RSVP’d to an event, only to find your inbox unexpectedly filling up with the concert venue’s newsletters and invitations to other events that are only tangentially related? Wouldn’t it be great if service providers had to get permission to use your contact information for anything other than what you’d provided it for in the first place?
That type of clear, informed consent is one of the basic requirements in the GDPR. Any business taking in your personal data not only has to explain what they need it for, they’re also simply not allowed to require you to provide more information than the absolute minimum they need to get the job done. What’s more, they can’t use your info for any purpose other than that which you agreed to in the first place. This puts you in charge of how your info is used from the very start — by design and by default — instead of making you unsubscribe after the fact.
Direct mail campaigns aren’t as popular as they used to be, but I still get a few pieces of paper mail each week, and I’m always both amused and a little scared at how companies I’ve never heard of get my contact information. A friend of mine used to put the name of the service provider in the second line of his address every time he signed up for something new, and he was amazed to find that his credit card and telephone providers shared his info with any number of sales companies.
Online marketers these days use email rather than postal mail, of course, but the underlying issue of your personal data being shared by someone you trusted with it remains, and the GDPR takes aim at this problem as well. Not only should companies’ use of your data remain within the limits of what you consented to, but the data needs to be stored securely, accessed only for the reasons already agreed upon, and cannot be shared with third parties outside the bounds of this regulation and what you consented to.
Quick, transparent reporting on data security breaches
We all know mistakes happen, and security best practices are constantly evolving. Living in the world means accepting some measure of risk, and it seems that every few days there’s a news story about a major data breach affecting hundreds of thousands of people — but usually by the time we hear about it, the breach happened months ago, leaving sensitive information exposed to the world and the affected people unaware. The GDPR addresses this with a timeframe around breach notifications, requiring that people whose information has been compromised are notified as soon as possible. This notice must include an explanation of what happened, what’s being done to fix it, and what the affected people should do to protect themselves. This type of information empowers each person to respond the way they think is best in each circumstance in order to protect their own privacy.
The right to be forgotten
I once created an account with a subscription box service, the kind that would send me new makeup every month. Only after I signed up did I discover that they were all sold out… I wouldn’t get anything for at least six months, if not longer — I can’t wait that long for new lipstick! I canceled the account, but couldn’t get them to stop emailing me, asking me to reactivate, choose my colors, pick my brands. Why can’t they just forget all about me? Or, for a perhaps more serious example, how often do we hear stories about people who lose out on job opportunities for which they would be very well-suited, just because of youthful indiscretions that still come up high in online search results?
That’s another important aspect of the GDPR: the right to be forgotten. Under these new rules, people can go back to service providers and revoke the consent to use their data, requiring the provider to remove all records and essentially erase them, giving them a fresh start. Now, this may not be without consequences (some services can’t be provided without personal information) and may not always be applicable (sometimes personal information has to be kept for reasons of public interest or relating to legal claims), but it’s certainly a lot more effective than sending an “unsubscribe” email, blocking the sender’s email address, and hoping for the best.
Again, please seek legal advise, we are not lawyers.