Businesses, large and small, are in the midst of preparing for compliance with the Europeans Union’s new data privacy laws: The General Data Protection Regulation, or the GDPR, which will go into effect on May 25, 2018.

The GDPR is very broad in scope and can apply to businesses both in and outside of the EU. Businesses that don’t comply with the GDPR could face heavy fines.

Here’s what you need to know about the GDPR. (Note: You should consult your own legal counsel to determine if you are subject to the requirements of the GDPR.)

What is GDPR?

GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by the European lawmakers to create a harmonized data privacy law across all the EU member states. Its purpose is to:  

What is Personal Data?

In a nutshell, GDPR defines personal data as “any information relating to an identified or identifiable natural person.”

Okay, so what does that mean?

In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can in some cases be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.

It also could mean information about a person, including their physical, mental, social, economic or cultural identities.

In short, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be personal data. You can find out more about the GDPR here.

What rights does the GDPR provide to individuals?

There are several rights an individual may exercise under the GDPR, including:

Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.

Some responsibilities of the GDPR you should understand

Generally speaking, there are two types of parties that have a responsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine whether you are acting as a controller or a processor and understand your responsibilities accordingly.

A “data controller” determines the purposes, conditions and means of the use of personal data.

A “data processor” on the other hand, only acts on the instructions of the “controller” and processes personal data on their behalf.

So, what does this mean for you?

As a reseller you are the controller in relation to your customer’s data. Since Stayintouch acts as the Registrar on record, this also makes us a data controller.

It is your responsibility to ensure that you have the necessary notices and/or consents in place in order to transfer personal data to us for use.

In addition, we are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms), as well as notices, policies and internal processes, features, and templates to assure our compliance and help you achieve compliance.

How does the GDPR affect your business?

Individuals, companies, or businesses that have a presence in the EU or, if no presence, offer goods or services to, or monitor the behavior of, individuals in the EU need to comply with this law. Please consult with your own legal counsel about whether GDPR applies to you and your business.

What do you need to do differently to comply with GDPR?

If the GDPR applies to you, there are various obligations you will need to comply with in order to continue doing business with your customers from the EU. Luckily, not all of these obligations are new, so you should be complying with some of them already.

The most important differences in this context are as follows:

To the extent that you have these obligations, we have tools in place to help support your compliance efforts – we’ll get into some detail about this below. These include methods for you to obtain consent on your website for all visitors and to show promotional content to your existing customers, as well as ways for you to confirm and document consent for new ones, too.

You should consult with your legal counsel on the above and your other obligations under GDPR.

What kind of Consent is required under the GDPR?

When in doubt, and you are relying on consent to market to your customers, express consent is typically your best option. You obtain and document express consent when you explicitly ask your potential customers for permission to send them emails and other marketing content, and they agree, and that agreement is recorded. Stayintouch has ways for you to indicate whether you have obtained express or implied consent from a customer, outlined in more detail below.

There may be circumstances where you can rely on something similar to implied consent for sending emails or promotional content to customers even when subject to the GDPR. This is called a “soft opt-in” where –

You should consult with your legal counsel to determine whether you can rely on the soft opt-in going forward under the GDPR. If you have customers with soft opt-in consent, you can store them as implied consent, but you will need to maintain your own documentation about how you obtained that soft opt-in consent.

Your customers should also be given an easy way to withdraw their consent in order to comply with the GDPR.  



How is Stayintouch complying with GDPR?

Stayintouch partners will be able to opt-out of receiving emails at any time by clicking the ‘unsubscribe’ link included at the bottom of every marketing email they receive from Stayintouch. Additionally, when you visit our website, tools will deployed to collect cookie consent in order to understand and record their choice of cookies and work with those that site visitors have allowed.

Overall, we’ve classified our plan in 3 broad categories:

1. Privacy Statement

We are reviewing and updating, as necessary, our agreements with you and with our subcontractors (to include the necessary GDPR terms). We are also updating our Privacy Policy, Terms of Service, internal processes, features, and templates to assure our compliance.  

The Stayintouch Privacy Statement will explain what information we collect about you as a Stayintouch partner and how we handle your personal data in this context where the GDPR applies. This statement will include descriptions of how your personal data will  be used by Stayintouch. Once published, we suggest that you review our Privacy Statement.

To the extent that you collect and process personal data, you are required to help your customers understand exactly what data is being collected and how it will be used. It is important that you have a Privacy Statement with contains details of your data processing activities.  

Where required, we will also support you, as a Stayintouch partner, in fulfilling GDPR related data subject requests you receive from your customers.

2. WHOIS

The European data protection authorities have expressed concern over the unlimited publication of personal data of domain name registrants in the WHOIS. To ensure our WHOIS output is compliant with the GDPR, we will implement the following changes starting May 25th, 2018:

For Existing Domain Names:

For New Domain Registrations, Renewals, Transfers:

Partners using the Stayintouch API must note two new attributes that will be recorded for domain names:

Partners using the API must incorporate the following changes to enable customers to manage their data protection settings:

Our engineering team is currently working on building these changes into the system. While we do that, to enable our API partners to plan ahead, we will aim to share the final API specification with sample request and response patterns as soon as they are ready. .  Also, we will  confirm when the new API methods will be available on the demo environment.

Notwithstanding the foregoing, access to personal data of domain name registrants may be granted when such access is necessary for technical reasons such as for the facilitation of transfers, or for law enforcement when it is legally entitled to such access.

3. Cookie Consent

When you visit the Stayintouch website, the web server passes on a cookie i.e., a string of text, to the web browser. These cookies enable our website to work, or work more efficiently, as well as provide information and additional services. Cookies are used for  purposes of marketing, analytics or are essential for site functionality and making experiences better. To ensure that we capture and record the appropriate consents for cookies deployed on our website, we will be using  a globally trusted third-party compliance management tool. This way, you will be able to select and manage your cookie preferences. Generally, cookies may fall into any of the following *categories:

 

Leave a Reply

Your email address will not be published. Required fields are marked *