The SSL Certificate industry has recently been shaken up by the EU’s newest data privacy laws, the GDPR.
The General Data Protection Regulation (GDPR) is the biggest change to data privacy in two decades, with big implications for the SSL Certificate industry.
The GDPR was approved by the EU Parliament on April 14th 2016 but did not commence enforcement until May 25th 2018.
In the past, companies would set their own rules for data protection which were often tediously detailed over many pages which an end-user could not be reasonably expected to read each time they utilise a new website or service.
Many businesses also operated off the assumption that silence is consent – that an end-user not explicitly rejecting a website’s data policy meant that they were consenting to that business/website’s policy on data.
The GDPR seeks to mitigate this through a clear set of guidelines that set the privacy standard for all online businesses operating within the EU. This makes visiting different sites less intimidating as an end-user can know to expect, at the least, the GDPR standard for data protection when utilising any site which falls under its jurisdiction.
Note the phrasing ‘operating within the EU’ – the GDPR applies to all companies handling personal data of users residing in the European Union, regardless of the company’s location. This means companies like Facebook and eBay, which are located in the USA but have large user-bases within the EU, are subject to the GDPR the same as an EU-based company.
The two biggest affects are on the use of SSL Certificates themselves, and the process of vetting information for validation of SSL Certificates.
Firstly – any website offering a service inside the EU will need to implement a trusted SSL Certificate. This is something most websites already do and any business which expects trust and traffic should be doing.
Secondly – EU business information registered on ICANN and other WHOIS-type websites are now automatically set to private and unviewable by the public, which means businesses and website owners have to contact their web hosting service to make such information public again if they want validation emails sent to such addresses, or if they have other relevant information they need a Certificate Authority to be able to check on such records. This change mostly affects the completion of the quick, easy to obtain DV (Domain Validated) SSL Certificates which are widely employed by small and low-traffic businesses and blogs due to their cheap pricing.
The GDPR is in full effect. If your WHOIS information is currently set to data-protected and you would like it made public again for validation or other reasons, make sure to contact your web hosting service and request that they make the information public.
For more information on the GDPR, please visit the European Union’s official webpage at:
ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
Mitchell has a Bachelor of Arts with Majors in Journalism and Foreign Relations; and a Diploma of Digital Design.