The Impact of GDPR on WHOIS: Implications for Businesses Facing Cybercrime
Europe’s General Data Protection Regulation (GDPR) took effect on 25th May, 2018, following a two-year grace period. GDPR’s ambitious goal is to put people in control of their personal data at a time when misuse of private data has become a serious threat.
Unlike previous data privacy regulations, GDPR has teeth. It carries stiff penalties including fines of up to €20m or 4 per cent of global revenues of the prior year. This has prompted a flurry of activity as organisations worldwide seek to comply to avoid serious repercussions.
Yet GDPR is depriving security professionals of a key tool in their fight against cybercrime: access to the personal identifiable data (PID) of people who register Internet domains through WHOIS, the directory service maintained by the Internet Corporation for Assigned Names and Numbers (ICANN), the organisation that manages the global domain system. This data is vital for fighting a variety of Internet-based crimes. Even as the enforcement deadline has passed, ICANN and European authorities are engaged in high-stakes negotiations over who may legally access it in the future, and how. Corporate security officials should take note of the issue, as it could speed up the already rapidly escalating problem of cybercrime.