No issue with doing a proper information audit (what there is, where it is stored, how it can be accessed and by whom). That is just good information security practice.
However I am still not certain that holding any of that information actually makes AfriNIC a controller in terms of the GDPR. > On 11 Apr 2018, at 15:47, Andrew Alston <andrew.als...@liquidtelecom.com> > wrote: > > Mike, > > Also just to clarify – I believe this goes beyond whois data – there is far > more data that AfriNIC holds than just the whois data that could be affected > by this. I concede the whois portion I may well be wrong on that – the rest > of it – as I said – I simply want to see from AfriNIC a report on that they > are doing and where they aren’t in compliance to present that to this > community – mindful of the time frames involved – the situation the current > board finds facing – and the dictates of section 3.4.iiv of the bylaws > > Andrew > > > From: Mike Silber <silber.m...@gmail.com> > Date: Wednesday, 11 April 2018 at 16:34 > To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz> > Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of > AFRINIC <firstname.lastname@example.org>, AfriNIC Discuss > <members-disc...@afrinic.net> > Subject: Re: [Community-Discuss] AFRINIC and the GDPR > > If I can add to this, there is as yet no clear direction from the European > DPAs as a collective on how GDPR affects whois access in general. > > The RIPE NCC approach is premised on their interactions with the Dutch DPA, > rather than a Europe wide approach. > > In addition, I am not sure I concur with Mr Alston’s insistence that “holding > data of EU citizens” automatically places AfriNIC into the category of data > controller in terms of GDPR or imposes any requirements on AfriNIC, > particularly as the GDPR applies to processing of personal data in the > context of the activities of an establishment of a controller or a processor > in the Union. > > The extraterritorial application is premised on a nexus requirement set out > in general terms in Recital 23, but requiring specific determination in terms > of national law by Member States. > > Mike > > > >> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz >> <mailto:ab...@tznic.or.tz>> wrote: >> >> Dear Andrew, Members and the whole Afrinic community, >> Andrew has raised a very important issue for Afrinic operations - Thanks so >> much Andrew. >> The Board would like to inform you that the issue was discussed within the >> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to >> work on the issue. >> The Board has also been made aware that the Mauritius Data Protection Act >> 2017 is already in effect and is aligned with the EU GDPR regulations. The >> Board believes that these regulations are not a barrier to publication of >> the WHOIS data, and it has noted the RIPE NCC study that made such a >> finding. The Board further believes that the biggest changes required by >> AFRINIC are in documenting how personal data is used, and in informing >> people at the time data is collected. >> The AFRINIC management will provide further updates on the issues at AIS >> 2018 in Senegal. >> Further to the above, the Board expects to receive more insights on GDPR >> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in >> Senegal. >> >> Kind regards >> >> >> On 11/04/2018 08:42, Andrew Alston wrote: >>> Hi AfriNIC Board, >>> >>> Can this board please *urgently* inform this community as to what >>> preparations they have made as regards to compliance with the General Data >>> Protection Regulations passed by the European Commision and the board will >>> be in a position to give this community a full and complete report as to >>> their GDPR compliance status and what will be changing before the 25th of >>> May to ensure that when the GDPR comes into force AfriNIC is compliant. >>> >>> Considering that the regulation comes into force on the 25th of May 2018 – >>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject >>> to the regulations irrespective of the fact that they are domiciled in >>> Mauritius – this is an urgent and critical issue. It has direct impact on >>> the whois database, abuse contact information, handling of data submitted >>> during application process and potentially even the proposed review policy, >>> just to name a few things that I can think of off the top of my head – and >>> cannot be ignored. I would in fact have liked to have seen discussions by >>> the board in the minutes that have been published about the GDPR long >>> before now – considering the impact – but failing that – the question is >>> now being asked. >>> >>> Andrew >>> >>> >>> _______________________________________________ >>> Community-Discuss mailing list >>> Community-Discuss@afrinic.net <mailto:Community-Discuss@afrinic.net> >>> https://lists.afrinic.net/mailman/listinfo/community-discuss >>> <https://lists.afrinic.net/mailman/listinfo/community-discuss> >> >> -- >> Abibu R. Ntahigiye >> >> CEO, tzNIC / Interim Chairman, Afrinic. >> _______________________________________________ >> Community-Discuss mailing list >> Community-Discuss@afrinic.net <mailto:Community-Discuss@afrinic.net> >> https://lists.afrinic.net/mailman/listinfo/community-discuss >> <https://lists.afrinic.net/mailman/listinfo/community-discuss> >
_______________________________________________ Community-Discuss mailing list Community-Discuss@afrinic.net https://lists.afrinic.net/mailman/listinfo/community-discuss