How does the GDPR affect domain registrars & resellers in South Africa?

How does the GDPR affect domain registrars & resellers in South Africa?

The General Data Protection Regulation (GDPR), also referred to as the EU Regulation 2016/679, is an internet data privacy regulation aimed at protecting personal data of individuals in the European Economic Area. All companies that supply a service to anyone that resides in the EU, needs to be GDPR-compliant by 25 May 2018.

In essence GDPR addresses how companies are collecting, storing and protecting the data they obtain from people in the EU. It gives customers control over their data in the following ways:
• Customers need to give companies consent to obtain data, and companies are required to disclose what the information will be used for.
• Customers can request to be deleted (forever) from all records if they have no active services with a company.
• Customers need to be informed when a security breach took place.

Fines for GDPR data infringement can be as much as 20-million euros or 4% of a companies’ annual turnover; whichever of these two amounts is the highest.

How is GDPR different from the PoPI Act?
Simply put, GDPR is the PoPI Act on steroids. Although in theory it is about the same thing: protecting the personal information of individuals and sole proprietor companies, the requirements of GDPR are far more stringent than PoPI. If a company is already PoPI-compliant, they are only about 80% GDPR-compliant.

What does this mean for domain registrars & resellers?
Domain resellers with customers in the EU will need to be GDPR-compliant. This means that you need to have extra systems in place to safeguard the data (personal or company information & payment details etc.) you obtain from customers. With cyber security such a constant threat, this is something most resellers already know, have in place or are in the process of implementing. But there is another important aspect that will affect domain resellers: you will need to gain consent.

According to the GDPR, explicit consent refers to: “Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

In other words, domain registrars and resellers would be required to ask permission to obtain data from customers, PLUS explain clearly what it will be used for.

Is GDPR bad for business?
No. Sure it creates additional admin, but at the end of the day it is there to protect customers’ privacy. It is a way for companies to be aware of exactly what information they have on their customers, so that they can:
• Store only what they need safely and effectively.
• Delete whatever they don’t need permanently.

Who should be afraid of GDPR?
Any company using, capturing or selling an individual or company’s personal information or behavioural insights without their consent should fear GDPR as it is specifically aimed at putting a stop to this.

At domains.co.za, we are in the process of becoming GDPR-compliant and have sought legal advice to help us in this process. At the end of the day, there are many unknowns to this and how it will affect each individual entity. Our only advice is to seek your own legal advice as soon as possible.

The following references can assist you with obtaining more information on GDPR and GDPR-compliancy:
Guidelines for Proposed Models to Address the General Data Protection Regulation (GDPR)
Legal Analyses, Proposed Compliance Models, & Community Feedback
What is GDPR? Everything you need to know about the new EU data laws

This article is in no way, shape or form intended as legal advice, please seek your own legal advice relating GDPR.