Here's how GDPR affects every domain registrar and reseller in South Africa
On Friday 25 May 2018 the General Data Protection Regulation (GDPR) comes into effect. This super sophisticated Internet data privacy protocol has been developed to protect people in the EU from data vulnerabilities, and sets out a series of stringent requirements companies need to meet in order to be considered as GDPR-compliant.
If companies fail to comply, fines of up to 20-million euros or 4% of their annual turnover (whichever racks up the highest bill) could be charged.
GDPR has been a buzz-term in the EU and America since it was announced three years ago. Until recently, GDPR has been a bit of a buzz-kill in SA as many companies come to the realisation that it does affect the way they do business after all.
If you have customers living in the EU, your services will fall under GDPR and you would therefore need to be GDPR-compliant. This applies to every domain registrar and reseller in South Africa selling domains to people in the EU too.
That's messed up, right? Well, here's the good news though. If you've been aligning your business to the principles of the POPI Act, which is essentially a light version of GDPR, you are about 80% there already. The POPI act is about implementing strategies to protect customer data. GDPR takes this it to the next level.
At its core GDPR requires a company to be transparent about the collecting, storing and protecting of the identifiable data they obtain from customers living in the EU.
These customers need to give explicit consent for every piece of identifiable data you have about them. They need to know exactly why you have it and how you intent to use it. If customers have no active services with you, they have the right to request to have their data permanently deleted from all your software, backups etc. And should a data breach occur, these customers must be informed promptly and be instructed as to how this affects their data.
There are a number of uncertainties with regards to this regulation and how it will affect each domain registrar and reseller differently. In fact, only as time goes by will we have the clarity we are after. The best immediate cause of action would be to gain GDPR legal advice and start the process to becoming compliant, like we have been doing at domains.co.za.
However, if we could highlight three important aspects to action in the interim, it would be to:
1. Implement additional security measures to protect all customers' data as best as possible.
2. Know what data you have on your customers, know how it is stored and who has access to what.
3. Start brainstorming how your company will obtain explicit consent from your customers for the data you need in order to fulfil your contractual duties.