GDPR – .UK Comment Period

Please note that all documents are linked to from the relevant sections in these pages, you can find just the redline versions here. 

The EU General Data Protection Regulation (GDPR) was introduced in April 2016, and the enforcement date of 25 May 2018 is now approaching. Like many organisations, we’ve been reviewing how GDPR may affect our business practices.
The case for change

One of Nominet’s core functions is to operate the registry for the .UK ccTLD. By its very nature, this function involves collecting data, much of which relates to individuals, and processing that data for a number of defined purposes. It is clear, therefore, that GDPR will impact upon Nominet’s business practices and those of our contracted partners. With this in mind we have conducted an internal review looking at the ways in which we process personal data across all areas of our business and how these processes will need to change in light of the new regulations.
As the central registry for .UK domain names, we need to have accurate and complete details for our registrants. Although we don’t need to contact registrants very often, if a registrant has an issue with their registration or their registrar they can try and resolve it via their online account with us or over the phone with our customer services team. We might also need to contact registrants in the event of a dispute being filed with our Dispute Resolution Service over their registration and use of their domain, if we receive notice of legal proceedings or other legal complaints about a domain, or if there is a request for its suspension by UK law enforcement authorities.
Our internal review

In considering what changes to make we have been guided by some key principles:
  • The need to ensure both we, and any partners we contract with, are GDPR compliant
  • A wish to monitor, contribute to, and take guidance from broader industry discussions in order to ensure our solutions are aligned with the developing industry consensus
  • The need to make sure any changes we propose provide clarity for registrants, and are as simple as possible for our registrar partners to implement
Guided by these principles, we are now proposing some changes relating to the collection and publication of registrant data via the .UK WHOIS service, the operation of our Searchable WHOIS service, and our Privacy Services Framework for .UK domain names. Our review has also highlighted changes we need to make to our .UK Registrar Agreement (RA), the contractual relationship we have with the registrars who register .UK domain names for end-user registrants.
We are also proposing some changes to specific rules relating to the registrant data we collect for second level .UK domain registrations.

This means providing better clarity on the personal data we collect and explanations of the reasons we need this data, the purposes we will use it for, and the length of time we will keep it.