Will the GDPR Prevent Publication of Domain Registration Data?
Posted on 18/04/2018
The GDPR legislation due to come into effect on the 25th May 2018 is finally starting to be given the attention it deserves in the press. One aspect that has been reported on by the Guardian newspaper amongst others is the effect that GDPR may have on the Whois directory of domain registration. We thought we’d examine how this system works, how it might have to change and the angle the media have taken.
Currently, when a person registers a domain – a top level website address such as priviness.eu – their personal data can be made available by the publicly accessible Whois directory. At a minimum, this data will include the owner’s name and postal address and may include other information such as a contact telephone number. Unless precautions are taken to hide your identity, the data can be accessed simply by entering the domain into the Search Bar of the Whois directory.
Protection from Scammers?
One purpose this system has been used for is to look up how long a website has existed and the name of the owner to establish if they are who they say they are. You wouldn’t want to transfer money to buy an item from a website that has only existed for 2 weeks and is registered under the name of Mickey Mouse. A Whois search can be an important step in establishing that a website is legitimate.
A Legal Basis
Under the GDPR legislation, any organisation that is processing data must have a legal basis for doing so. Moreover, the data owner must be informed of why the data has been taken, how it will be used and who it will be shared with. Domain registrars have no legal reason to be sharing personal data via the publicly available Whois directory – however useful having access to that data might have proved.
Protection for Scammers?
The Guardian article (linked in the introductory paragraph of this blogpost) has framed this situation as GDPR providing protection for scammers. But this is a disingenuous angle to take. Historically, Whois has provided a link between online activity and personal identity. From 25th May, the publicly accessible areas of the directory will no longer contain personal data, but this will continue to be collected and will be made available to people with legitimate interests (trademark lawyers or investigative officials are the examples given). A blog detailing the changes was posted on OpenSRS.com last November.
The Whois story is a good example of an organisation that has been aware of the GDPR for some time, has thought about the implications and is changing its behaviour in order to achieve compliance. As we mentioned in a recent blogpost – fewer than 50% of companies have even heard of GDPR. And the deadline for compliance is perilously close.
If you would like to arrange a GDPR training session for members of your organisation, please get in touch by calling 0203 2878 243 or emailing email@example.com.
Back To all catagories