The General Data Protection Regulation is celebrating its one-year anniversary: On May 25 last year the European Union implemented the most extensive and attention-grabbing measure in the field of data protection law in Europe. What were the impacts the GDPR regulation had on us as the Austrian registry, which measures have been implemented, and how does our position compared internationally? Time to assess the situation with our legal department’s lawyers Barbara Schloßbauer and Bernhard Erler.

GDPR – one year later. What’s your conclusion?
Barbara: For us the stage before  implementation was particularly intense and exciting, as there were so many unknown factors: Nobody knew what the reactions would be like – for example, whether there would be many customers sending enquires about their stored data. Of course, we had adopted many measures in advance, in order to be prepared appropriately, but in the end nobody could anticipate what would actually happen after the implementation of GDPR. 

What are the specific measures that have been implemented here?
Barbara: In addition to the general measures, such as the appropriate privacy policies on the website, our Whois has been particularly affected. Since May 2018, the data shown for domains owned by natural persons  only includes the domain name, the registrar responsible, and necessary technical information. In addition to this, an information request form has been developed, enabling eligible people to find out who the domain holder is. The main variable was the consumers’ reaction to that, as we didn’t know how many Whois requests had been sent in the past concerning natural persons. In the end, it has all been much more easygoing than expected – the extent of requests is definitely manageable. 

Bernhard: An important aspect that has also been implemented, is the documentation of all data processing. Of course, this was required by law, but we were also able to make use of this process regarding the comprehensive documentation and analysis of our internal processes. We also verified whether all data processes were still legal.

Apparently, the efforts have been enormous. Are there things that made the whole process easier?
Barbara: The fact that we were already ISO 27.001/2013 certified was very helpful, as this certificate is based on the same systems. Of course we have always faced up to information security, screening the internal processes regarding data processing. As a result, the initial position was already quite good.

Bernhard: Another benefit for us was that, within the company, the GDPR topic had been a priority for all departments. In the end, there was no department which wasn’t involved in the whole process – even though the daily business had to proceed without any interruptions, the collaboration was excellent.

The whole GDPR topic sounds very complex and sophisticated. What are the positive effects of GDPR?
Bernhard: For me, the most notable thing was that the topic of data protection became the focus of attention within nic.at. GDPR has managed to greatly raise  awareness in relation to the importance of taking care of data – of course, we’ve always been aware of that, but still the sensitization  has increased in all departments of our company. In my opinion, this is also the main positive effect of GDPR: the establishment of awareness of the interaction with data – data protection is now definitely an issue of public interest.

How does it look internationally? Did you liaise regularly with other registries on GDPR topics?
Barbara: What I found very interesting is that the implementation in the different partner registries of the EU countries has been completely diverse – even though the legal framework was the same everywhere.

Bernhard: This is mainly because there are some registries that are regulated by government prescribing that, for example, they have to offer an “entire Whois” – which means that natural persons also have to appear there. Therefore, there are countries that didn’t have to implement any GDPR measures regarding  domain holder queries, while others haven’t enabled any queries since then. Of course, there have been intense discussions about that – and we soon came to the conclusion that there can’t be a unique solution for all countries.

Barbara: In retrospective, looking at the past year, I think that we’ve implemented a very applicable and pragmatic solution. So far, we’ve had very positive experiences.