The purpose of both the European Union’s General Data Protection Regulations (GDPR) which comes into effect today (25 May) and South Africa’s own Protection of Personal Information (PoPI) Act, due to be implemented soon, are aimed at governing the way in which personal information of natural and/or juristic persons is collected, processed and stored by organisations.
In response, the ZA Central Registry (ZACR) NPC is working towards finalising its WhoIs Implementation Strategy, Draft Privacy Policy, Draft Access to Registry Data Access Policy to address issues around GDPR and POPI implementations.
According to ZACR NPC CEO, Lucky Masilela: “In a digitally connected world the misuse of personal data has the potential to cause significant harm to individuals and other legal entities. The ZACR therefore wholeheartedly supports the objectives of both the EU’s data protection regulations and South Africa’s very own POPI.
“ZACR is working towards implementing a masking functionality for all its EPP-based domain name registrations by no later than 5 June 2018 as an interim measure.”
Masilela adds that users of the WhoIs database for EPP-based domain name registrations should not be surprised to see their personal information no longer displayed for many of the data fields forming part of generally accepted Whois Standards. Users of the WhoIs system will soon see the message “Redacted for Privacy Purposes” displayed on the WhoIS database when they search for data subjects affected by GDPR provisions.
As a Registry Operator for four .ZA Second Level Domains Names [co.za/net.za/web.za/org.za] and four gTLDs [.capetown/.durban/joburg/.africa], ZACR NPC processes personal data from .ZA-accredited and ICANN-accredited Registrars and/or directly from end users. In the domain name space, personal data relates primarily to data identifiers such as registrants’/billing/admin/tech names, email contacts, physical and postal addresses, and telephone and fax numbers being displayed on the Registry’s WhoIs system.
ZACR has historically received, processed and stored data to facilitate domain name registration transactions in line with ICANN (Internet Corporation for Assigned Names and Numbers) agreements and .ZA Domain Name Authority (ZADNA) regulations.
ZACR is now working towards the implementation of final data protection measures specifically relating to the presentation of personal information on the WhoIs System. ZACR encourages all end users to make use of privacy proxy services where applicable and/or to provide its service providers and the Registry directly with written consent to mitigate against the risk of data breaches taking place.
“We are working with our Registrar and Reseller (RaR) partners in an effort to protect the privacy rights of domain name data subjects,” says Masilela.
He explains that, in order for ZACR to become fully GDPR-compliant, a two-phased approach would be adopted. Phase 1 will see changes to the current WhoIs system for all EPP-based domain name registrations being made whilst Phase 2 will address data protection management as a long term responsibility within the development and review of existing and new policies, charters and technical systems.
The overriding imperative of the first phase is to mask what is considered as personal information displayed on EPP-based WhoIs entries so that it is not displayed to the public. It is important to note, however, that the Registry will still expect relevant information to be supplied by its accredited RARs for the domain name registration process.
ZACR primarily uses personal data to process domain name registration requests submitted directly or indirectly through a .ZA-accredited or ICANN-accredited Registrar. In addition, personal data is used to investigate abusive domain name registration practices, to conduct compliance audits and verification (for example, WhoIs accuracy and completeness checks), to maintain the continued integrity and stability of the registry system, to enable ZACR to manage any account a client may have with them, to conduct data analytics to improve the quality of service, and for marketing purposes.
When it comes to data security and integrity, ZACR employs international best practice informed by the ISO Framework of Policies & Procedures. Stakeholders are assured that data access control mechanisms, data encryption and subscription to data escrow services are an integral part of ZACR’s data integrity arsenal.
Data collection, presentation and retention is informed by ZACR’s Registry Operator Agreements with ICANN and .ZA General Policy and Charter Requirements issued by the ZA Domain Name Authority read with other applicable data retention laws, regulations and policies.