Changes caused by new European privacy law
17 May 2018
On May 25th, 2018 the new European privacy law takes effect, called the General Data Protection Regulation (GDPR). Exactly what will change for you as a customer, and in terms of SSL?
Why this new law?
A lot has been written about it: the GDPR, which replaces the seperate national Data Protection laws from all European member states based on the European privacy regulation from 1995. From May 25th, 2018 the new privacy law will apply to all EU countries. Anyone who collects and processes personal data through a website, CRM of internal database is required to comply to this new law. The GDPR aims to improve and expand privacy rights by giving organisations more responsibility for the privacy of their customers. From this date, all European privacy supervisors will have the same authorization, for example the possibility to impose fines up to 20 million if the privacy law is violated.
Changes in validation process
Before certificate issuance we check whether the applicant controls the domain the request is made for. The most used method for this is email validation, by sending a DCV (Domain Control Validation) email to the email address specified, that needs to be confirmed by clicking on a link in the mail.
Email addresses allowed for domain validation are admin-, administrator-, hostmaster -, postmaster-, firstname.lastname@example.org. Also the email addresses registered for the domain in the Whois can be used, i.e. the technical or administrative contact person. To comply to the GDPR, some registrars don't show those email adresses anymore, because they are classified as personal data. In these cases, we can't check the e-mail addresses. To avoid possible delay in the certificate issuance, we advise you to use one of the 5 standard email addresses. For Comodo certificates you might use CNAME or file validation as an alternative.
What else will change for you as a customer?
What will change specifically for our resellers?
Do you (also) buy products from us for your customers? Because we save and process certain data from your customers, we are required to enter a so-called Processor’s Agreement with all our resellers. In this Processor’s Agreement our legal obligations in this area are specified clearly. You can easily digitally sign the agreement in the Control Panel. Note: If you buy products from us for other parties with a default (not-reseller) account, legally spoken you're a reseller.
What is the impact on our products?
Handling customer data safely has of course always been important, but from now on the insecure handling of customer data can be punished more severely. Like often the case with legislation, the use of an SSL certificate isn’t specifically named. But you are responsible for taking sufficient measures to prevent abuse of customer data. And the only widely applicable solution to secure the traffic sent through websites is https://. That’s why the Dutch ‘Autoriteit Persoonsgegevens’ states: ‘’If you collect personal data on your website, you should at least use https. This way you prevent unauthorized parties from reading the traffic to your website.”So all entry fields or forms should only be reachable through https://. Next to this, it’s also important to keep you website free from malware and other malicious code. This prevents data from being stolen, or malware spread. A way to lower this risk is checking your website periodically with a vulnerability scan or penetration test.
Please contact us if you have any questions!