SIDN and the GDPR
On 25 May, the General Data Protection Regulation (GDPR) comes into force in the Netherlands. The new law has implications for all organisations that handle personal data. Including SIDN. We have therefore been preparing carefully. This article describes the main changes we're making.
Data Protection Officer
Under the GDPR, some organisations must have a member of staff with specific responsibility for data protection. That's the case with government bodies and organisations involved in mass surveillance or the bulk processing of special personal data, such as for criminal prosecutions. Although the requirement doesn't apply to us, we've decided to appoint a Data Protection Officer and comply with the associated legal requirements. Our company lawyer Karin Vink will take on the role. "SIDN takes personal data protection very seriously," says Karin. "We believe that, as the national registry, we should satisfy the very highest standards. We've already established a privacy board, for example. I'm a member of that body as well." The Data Protection Officer's job is to ensure that the organisation conforms to the GDPR. "At the moment, my main focus is advising colleagues," Karin continues. "I'm making sure that everyone at SIDN knows what they need to do to keep us on the right side of the law. I'm also compiling a personal data processing register."
Registration of personal data processing activities
One of the GDPR's key requirements is that a register of personal data processing activities has to be kept. For each activity, the organisation has to record what personal data is processed, the purpose of the processing, the nature of the processing and how the data is protected. "It may sound like an administrative chore, but it's actually very useful," Karin explains. "Keeping a register obliges you to think about how you handle personal data. It means that nothing gets overlooked. Of course, we already have a pretty good idea of the processing that we do, but the register ensures that the picture is complete. So we can be really confident that we're doing everything by the book and handling personal data responsibly."
The right to know
Under the GDPR, everyone has the right to ask a data processing organisation what personal data about them the organisation has. "That right already existed under the old law," Karin points out. "But in the last ten years no more than two people have asked us for their personal data. Another right people now have is to get erroneous data corrected. We've no idea whether we're going to get any correction requests, but we want to be ready just in case. Our Support Department is therefore developing procedures for handling requests."
Changes to the Registrar Whois
Sharing personal data with other organisations is going to be strictly controlled once the GDPR takes effect. That's going to impact the Registrar Whois, the application that our registrars can use to look up the details of domain name registrants. At the moment, registrars have access to a great deal of data. A registrar can look up as much information as they like about domain names that they manage, but has limited access to registration data on other .nl domain names. "There is no real need for a registrar to access substantial amounts of that data," Karin says. "And necessity is a key criterion under the GDPR. The change shouldn't make much practical difference to registrars, because there's no reason for a registrar to look up large volumes of that type of data."
Information for registrars
With 5.8 million domain names to look after, SIDN manages a huge amount of data. However, not so much of it is personal data. "The data we hold doesn't include anything 'juicy'," Karin emphasises. "We just have names, e-mail addresses, phone numbers and postal addresses. Our position is very different from, say, a health care provider who has patients' medical records." Our registrars actually process more personal data than we do. The GDPR is therefore going to affect them more than us. So we're making support available to help them ensure that any personal data processing they do in connection with domain name registration is legal.
At our annual SIDN Connect event, there was a session devoted to the basics of the GDPR. And, on 5 April, we're hosting a webinar for registrars to explore the topic in more depth. An expert in the field will be passing on valuable practical advice. We'll also be posting information on the registrars' area of our website.
Register for the webinar now
The Dutch-language webinar is 3:30pm to 5pm (local time) on Thursday 5 April. To register, visit the OnlineSeminar website. Please note that the webinar itself will be in Dutch, but an English language synopsis will be available afterwards. Interested? Just drop a line to firstname.lastname@example.org.