GDPR Compliance for your Business

Important: This article does not constitute legal advice. If you intend to rely upon or use this information in any form, you are solely responsible for verifying the information and obtaining independent expert advice if required.

Ensuring GDPR compliance for your business? This guide simplifies the key points to protect EU customer data.

In this article, we'll discuss:

What is GDPR?
What do I need to do to comply with GDPR?
What is Newfold Digital doing to achieve compliance?
- Data Retention
What about managing my personal data?
- Businesses
- Resellers, Affiliates, and Private Label Partners
Is Newfold Digital the controller or processor of data?
What about WHOIS for EU residents?
- Masking
- Tiered Access
How will domain transfers work in a post-GDPR environment?
Common Terms Associated with GDPR
Review

What is GDPR?

GDPR is a regulation that went into effect on May 25, 2018. It governs the data privacy of EU residents by:

Harmonizing data protection across EU member states
Requiring clear and conspicuous Consent
Providing Data Subjects with more powerful rights to their data and imposing tighter limits on the use of personal data
Placing more responsibility on companies Processing those individuals' personal data

The GDPR aims to protect all residents of the EU. The GDPR applies to nearly all EU organizations and non-EU organizations if they:

Offer goods or services to EU residents and/or
Monitor the behavior of EU residents

Having privacy-related issues?

Email [email protected]

What do I need to do to comply with GDPR?

Please visit GDPR website to read the full text of the regulation. We recommend you review the regulation and any responsibilities you may have, which will differ depending on your business or organization's activities and practices. As Newfold Digital progresses with its compliance efforts, we may contact you with more information relevant to our relationship with you.

What is Newfold Digital doing to achieve compliance?

We are taking a global approach to compliance and driving a centralized data privacy program with privacy by design at its core.
We have established an internal GDPR task force comprising key members from all major departments throughout the company.
We are engaging in top-of-the-line privacy management software and consulting with international firms and privacy experts.
Additionally, Newfold Digital is already one of only approximately 2,600 companies to be Privacy Shield certified.
We continuously educate, support, and guide our stakeholders with training, FAQs, and online resources.

Data Retention

Please check out our full Privacy Notice for more details. Following our data retention policy, personal data will be systematically deleted when it is no longer needed for processing, accounting, or other legal reasons.

What about managing my personal data?

Businesses

Newfold Digital has created a DSAR (Data Subject Access Request) portal that its EU customers can utilize to submit DSAR requests. This portal is reserved for Newfold Digital EU customers only.

Submit DSAR

Resellers, Affiliates, and Private Label Partners

Newfold Digital has created a DSAR portal that can be utilized by resellers, affiliates, and private label partners to submit DSAR requests on behalf of their EU customers. This portal is reserved for partner use only. We will only process requests submitted by a partner on behalf of their EU customers. Direct customer requests will not be processed through this portal.

Please note that under GDPR, Resellers, Affiliates, and Private Label partners serve as the Data Controllers. As such, they are responsible for implementing their customer-facing solutions and policies to comply with GDPR.

Submit DSAR

As per the GDPR, a DSAR will typically be handled within thirty (30) days but, under extenuating circumstances, may be processed within sixty (60) days.

Data subjects have rights to request the erasure of personal data under specific conditions. However, a number of our services, including but not limited to domain registration services, will be assessed to determine if we still need to retain the data for processing purposes. For example, we cannot remove data we retain for an active domain name holder because the data is still relevant for registration purposes. In addition, as an accredited ICANN registrar, we are contractually obligated to keep certain data regarding registered name holders for the life of the domain name plus two (2) years.

Is Newfold Digital the controller or processor of data?

That depends on the service that Newfold Digital offers to its customers. Please click here to see Article 4 of the GDPR, which defines the different roles and responsibilities of both Data Controllers and Data Processors.

Newfold Digital has established a GDPR task force as part of our compliance efforts. If you are a business that resells Newfold Digital services, it may be beneficial to establish your own internal team to review and ensure compliance with the GDPR obligations.

What about WHOIS for EU residents?

Masking

To comply with GDPR and protect personally identifiable information (PII), Newfold Digital will mask certain fields in the WHOIS output for EU residents. A sample of this output is detailed below:

WHOIS Output

Domain Name: sampledomain.com
Registry Domain ID: 142700135_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: http://www.register.com
Updated Date: 2017-12-04T08:00:03Z
Creation Date: 2005-02-16T23:28:11Z
Registrar Registration Expiration Date: 2019-02-16T23:28:11Z
Registrar: Register.com, Inc.
Registrar IANA ID: 9
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Statutory Masking Enabled
Registrant Name: Statutory Masking Enabled
Registrant Organization: Statutory Masking Enabled
Registrant Street: Statutory Masking Enabled
Registrant City: Statutory Masking Enabled
Registrant State/Province:
Registrant Postal Code: Statutory Masking Enabled
Registrant Country: BE
Registrant Phone: Statutory Masking Enabled
Registrant Phone Ext.: Statutory Masking Enabled
Registrant Fax: Statutory Masking Enabled
Registrant Fax Ext.: Statutory Masking Enabled
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Statutory Masking Enabled
Admin Organization: Statutory Masking Enabled
Admin Street: Statutory Masking Enabled
Admin City: Statutory Masking Enabled
Admin State/Province: Statutory Masking Enabled
Admin Postal Code: Statutory Masking Enabled
Admin Country: Statutory Masking Enabled
Admin Phone: Statutory Masking Enabled
Admin Phone Ext.: Statutory Masking Enabled
Admin Fax: Statutory Masking Enabled
Admin Fax Ext.: Statutory Masking Enabled
Admin Email: Statutory Masking Enabled
Registry Tech ID:
Tech Name: Statutory Masking Enabled
Tech Organization: Statutory Masking Enabled
Tech Street: Statutory Masking Enabled
Tech City: Statutory Masking Enabled

Tiered Access

At this time, Newfold Digital does not plan to implement tiered access for its WHOIS database. However, ICANN and its Stakeholders are actively working toward a uniform solution that will help meet the needs of the broader global community.

How will domain transfers work in a post-GDPR environment?

Newfold Digital will comply with its obligations under the ICANN 2013 RAA (Registrar Accreditation Agreement) concerning intra-registrar transfers and the Temporary Specification for gTLD Registration Data, which can be found on this page.

Common Terms Associated with GDPR

Term	Definition
Personal Data	Personal data is information relating to an identified or identifiable natural person or Data Subject. An identifiable natural person can be directly or indirectly identified by reference to an identifier, such as a name, location data, an identification number, an online identifier, or to one or multiple factors specific to the mental, physical, physiological, genetic, cultural, economic, or social identity of that natural person. Moreover, it can include but is not limited to name, email address, posts on social networking websites, medical information, and computer IP address.
Data Processor	Data Processor is an agency, public authority, or legal/natural person which processes personal data on behalf of the Data Controller.
Consent	Consent of the Data Subject is any unambiguous, informed, and specific indication of the subject's wishes, freely given through a statement or explicit affirmative action that signifies an agreement to the processing of their personal data.
Processing	Processing means any set of operations or operation performed on sets of personal data or personal data, automated or not, through collection, organization, recording, storage, structuring, alteration or adaptation, consultation, use, retrieval, disclosure by transmission, dissemination (otherwise making available), combination or alignment, restriction, destruction or erasure.
Data Controller	Data Controller means an agency or other body, public authority, legal or natural person, jointly with others or alone, determines the means and purposes of processing personal data.
Data Subject	Data Subject is an identifiable or identified natural person.

Review

The General Data Protection Regulation (GDPR) is a regulation in place to protect the privacy of EU residents. Businesses of all sizes that deal with EU customer data need to be aware of their obligations under GDPR. This article has provided a high-level overview of GDPR compliance for your businesses. We've covered key GDPR concepts, what businesses need to do to comply, and the rights of EU data subjects. For more information and a full understanding of your specific obligations, it's important to consult with a legal professional or data privacy expert. Remember, this article is not a substitute for legal advice.

Did you find this article helpful?

Please leave us some feedback so we can improve this article.

* Your feedback is too short