The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Like many organisations, we are proposing changes to comply with the new GDPR legislation across all areas of the business.
At Nominet, we need to record who .UK domain names are held by in our registry database. Traditionally, our WHOIS has allowed anyone to check “who is” the registrant.
We have opened a comment period from today until 4 April on our .UK proposals to comply with GDPR legislation.
In summary, Nominet proposals are as follows:
- From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.
- For registrants who wish for their data to be published in the WHOIS, we will provide appropriate mechanisms to allow them to give their explicit consent.
- We will continue to work in the same way as now with UK law enforcement agencies seeking further information on specific domain names via our existing data release policy and via an enhanced version of our Searchable WHOIS service, available free of charge. Those users will have automatic access to the names and addresses we hold.
- Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.
- The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance. Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.
- The proposed new .UK Registry-Registrar Agreement (RRA) includes a new Data Processing Annex. This sets out terms for how we would work with our registrars when processing registrants’ personal data during the registering, renewing, transferring or managing of .UK domain names to ensure GDPR compliance.
- The Privacy Services Framework will be replaced with recognition of a Proxy Service, within a new .UK RRA to allow registrars to offer proxy services to registrants who do not wish to have their details passed to Nominet.
- Additionally, we propose changing the rules for the data we collect for domain names that end in second-level .uk domain registrations, such as example.uk. We will no longer require a UK ‘address for service’ bringing this into line with third-level .UK domains such as example.co.uk, example.org.uk and so on.
Further details including links to all redline copies of the relevant documentation are available here. You can find just the redline versions here.
A webinar for Nominet members to hear more about our proposals will take place on Monday, 19 March at 1:30pm GMT.
These changes cover the .UK namespace. Pending outcome of ICANN discussions, and feedback from this comment period, Nominet will set out our proposed approach for GDPR compliance for .cymru and .wales domains.