MENU
  • Enom.com
  • Resellers

Enom Blog

February, 2018
Archive

  • GDPR Resources: The Right to Be Forgotten

    February 1, 2018

    GDPR, Industry Insight, Uncategorized

     Like

    Views: 3418

    Business woman considers the GDPR in front of parliament building in Brussels

    Our last GDPR post covered the basics of the right to erasure, as outlined in the GDPR. This week, we’re expanding on the topic by highlighting a few recently published resources that address the requirement’s potential impact on service providers and the domain industry, and explore some paths to compliance.

    GDPR Compliance Models From ICANN

    I wanted to start off on a more general, but highly significant, development in the domain world. ICANN’s “Legal Analyses, Proposed Compliance Models, & Community Feedback” page has been updated with several models for GDPR compliance. I would strongly encourage everyone interested in the topic to familiarize themselves with the contents of this page. Domain providers have been working on GDPR compliance for months, if not longer, and the ECO playbook (“CM3” on this page) is the result of collaborative efforts from many key players within the industry, including Tucows. While this work was being done, the internet community awaited— with great anticipation—the release of ICANN’s own official approach.

    After a long silence, ICANN came back with three suggested models, each of which has significant flaws. To name a few, the ICANN

    models focus mainly on Whois, rather than the whole ecosystem of data sharing that a typical domain registration ties into, and the models continue to require collection and sharing of more data elements than our assessment believes are acceptable under the principle of data minimization (which restricts data processing to those elements necessary to provide the contracted service). At present, there’s an industry conversation around what model can be accepted both by contracted parties (registrars and registries) and ICANN, but we are proceeding with our GDPR implementation work as planned, relying on our legal counsel to help find the balance between compliance with ICANN and the GDPR itself.

    Fuhgettaboutit: the GDPR “Right to Erasure”

    This article delves into the details of the right to erasure and its operational impacts on service providers. Placing an emphasis on the wide scope of the requirement, it provides a general perspective, not specific to the domain name industry, and gives the reader a good sense of how much work fulfilling just a single erasure request could entail.

    GDPR, Right of Erasure (Right to be Forgotten), and Encryption Key Management

    The GDPR requires that data be held securely which, in a digital world, usually requires encryption. But one thing I hadn’t considered was using encryption not only for security but also to fulfill right-to-erasure requests. That’s what’s proposed here: if the encryption key no longer exists, the data can never be revealed, and essentially no longer exists. Receive a request-to-be-forgotten from a customer? Erase the key that decrypts all their personal data, and the data itself is effectively erased. I will admit that I’m not an encryption and data security expert, but it seems to me that there’s a difference here—encryption can be broken, or could already be compromised, so I’m not convinced that we can equate the erasure of a key to the erasure of the data the key decrypts. I’d love to hear from people in that field as to whether this is indeed a viable approach to data erasure and, more specifically, if it would satisfy the requirements laid out in the GDPR.

    Where does this leave us?

    At this point, it seems clear that service providers across industries should be thinking about right-to-erasure requirements and the significant work it will take to reach a state of compliance. What’s still a bit unclear is the “how” of it all. Encryption key management, which we’re sure to see further discussion about, may prove be a viable method for some providers, and other approaches are sure to surface in the months leading up to May 25, 2018.

    Learn more about the GDPR:

    GDPR Updates – Understand Enom’s approach to the policy

    • GDPR-Related Contract Changes (Published on Mar. 5, 2018)
    • The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
    • Consent and the GDPR (Published on Dec. 21, 2017)
    • How will the GDPR impact Whois? (Published on Nov. 9, 2017)
    • The GDPR Overview (Published on Oct. 30, 2017)

    GDPR Resources – View third-party resources on a specific GDPR topic

    • Consent-related resources (Published on Jan. 4, 2018)
    • Whois-related resources (Published on Dec. 7, 2017)
    • GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)

    Read More

FEATURED POSTS

  • Colleagues review ICANN's temporary specification requirements.

    What Domain Resellers Should Know About ICANN’s Temporary Specification

    September 18, 2018

  • Enom’s Tiered Access Directory (gated Whois)

    June 19, 2018

  • What you should know about ICANN’s May 25th Legal Action

    May 29, 2018

  • A Guide to Choosing the Right SSL Certificate

    May 24, 2018

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support
Report Abuse
Help Center
Contact Us

 Resources
WHOIS Lookup
Maintenance Alerts
Developers
Products & Services
Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2018 Enom Blog |