The General Data Protection Regulation is an update to existing Data Privacy laws, and aims to harmonise and strengthen the Data Privacy rights of EU citizens in how their data is controlled and processed.
GDPR is due to come into force May 25th 2018. It sets out regulations for the security and privacy controls required when handling Personally Identifiable Data (PII).
Blacknight is committed to Data Protection and is an accredited ISO27001:2013 company. This means that we have a management system in place to handle the security of the data we process. Blacknight is registered with the Irish Data Protection Authority as a data processor, ref. no. 8053/a.
Blacknight only collects and retains data about individuals or organisations with our customers consent, and for the services we offer, and for billing purposes via the online website, control panels, and e-commerce site, or where provided directly by the end user for the purpose of contracting for the services we offer. Our customers who utilise those services may also collect and retain data (PII) for their own purposes and should refer to the “Matrix of Responsibility” document (which is published separately), for information on their own GDPR responsibilities.
GDPR requires data processing to be lawful, fair and transparent.
Blacknight collects personal information solely for the purpose of providing the services we offer and for billing and accounting purposes. At each point of collection, we will endeavor to provide full transparency as to the purpose, retention, transfer and use of such data, for example, in order to process and validate domain registrations there may be a requirement to collect additional personal information such as utility bills, passport, drivers licence, CRO details etc. This is a requirement of the registry in question, and that data is then forwarded to the registry by Blacknight as part of the application process.
We also collect information for fraud prevention, to validate account details, for our ticketing support system and live-chat portal, service notifications and (if you have subscribed to it) for occasional offers and promotions.
GDPR requires data processing to limit the purposes of processing.
We do not share your personal information with third parties unless you have consented to it as required for the purpose of registering for any products we re-sell (such as SSL certs, Microsoft Office365, site-builder or analytics products, and domain registrations). In those instances we currently have contractual agreements in place that ensure the third party upholds its GDPR obligations with regard to data security and privacy.
GDPR requires us to minimise the data we keep unless it’s required for the provision of a service or for existing legal requirements (such as Revenue purposes), so we keep your data only for as long as it’s needed for the original purpose we collected it. If it’s not needed we get rid of it! Blacknight has a published Data retention policy for all of our staff, outlining data retention criteria for the different categories of data we store.
Where feasible, Blacknight will make every possible effort to ensure the data we hold relating to a data subject is kept up to date and accurate. We may do this by periodically contacting the data subject via email, with requests that the data is verified by the data subject. It is your responsibility to update your data within the control panel. Blacknight reserve the right to suspend any services which were purchased under fraudulent pretense and forward any relevant data to An Gárda Síochana.
The core tenets of ISO27001 are confidentiality, integrity and availability, also a key component of GDPR. Blacknight observes these core values and we are regularly tested on them, both externally and with internal audits. Blacknight’s management regularly review and assess our exposure to Data Security risk and mitigation, and we operate a continuous improvement process with regard to protecting ourselves and our customers.
We get this one a lot! Blacknight already implements appropriate technical and organisational measures as part of our ISO27001 framework, and adheres to strict governance and/or codes of conduct guidelines from bodies such as ICANN, NCSC, PCI, ISPAI, Irish Data Protection Authority etc.