The European Union’s General Data Protection Regulation (GDPR) lays out a new set of rules for how the personal data of people living within the European Union should be handled. That being said, it embodies some really great principles and concepts that we believe in here at Tucows, and we want to pass these protections and rights on to all registrants, regardless of where they happen to live.
Though it can be fairly complex and far-reaching, at a high level, the GDPR can be broken down into three main concepts:
- Consent and control
- The right to be forgotten
Consent and control
This can be brought down to the very simple idea that your personal information belongs to you and only you can decide where it gets used. In order to work with any of your data, we have to let you know what we need your information for and have a legal reason to use it. We have an obligation to only collect the minimum amount of information that we need to get the job done, and we can’t use the information we’ve already gathered for something else without asking you if that’s ok.
Transparency means that in the event of a security breach where your personal data may have been exposed, we have to let you know as soon as possible that it’s happened and tell you what happened, what we’re doing to fix it and what you should do protect yourself. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy. The security of your personal data is our priority, and this is a part of the GDPR that we hope will never come into play.
The right to be forgotten
This is one of the most powerful tools that the GDPR gives people – a means to a fresh start. It gives you the ability to revoke your consent provider for a service to store and process your personal information. When a person invokes this right, Tucows will have to essentially erase all record of the individual, from our system. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims. This right to erasure applies only to data that’s used because we have consent, and does not apply to data that’s used because it’s required as part of fulfilling a contract. Data processed as part of fulfilling our service contract will be kept for the lifetime of the service, plus up to 7 years after the service’s termination.