[At-Large] [Internet Policy] Data Protection directives need to include Data Transparency directives.

[Wisdom Donkor]

Hello,

The term personal data assumes extremely broad coverage in the GDPR any
data that relates to "an identifiable natural person" is classified as
personal data. Organizations usually digitally process and store things
like customer names, email addresses, photographs, work information,
conversations, media files, and a lot of other information that could
identify individuals. Personal data is all-pervasive, and is found in
nearly every piece of IT. If your organization wants to comply with the
GDPR, then you need to define and enforce strict access controls as well as
meticulously track access to data.

Cyber attacks mostly originate both from within the perimeters of an
enterprise, and from outside. It has been reveal that hackers both external
and internal are exploiting privileged access to perpetrate attacks. Most
of this  attacks compromise personal data that is processed or stored by IT
applications and devices. Almost all types of cyber attacks nowadays
involve privileged accounts.

In internal and external attacks alike, unauthorized access and misuse of
privileged accounts the "keys to the IT kingdom" this are some of the main
techniques used by criminals. Administrative passwords, system default
accounts, as well as hard-coded credentials in scripts and applications
have all become the prime targets cyber criminals use to gain access.

I hope this also adds-up


*WISDOM DONKOR (S/N Eng.)*
*Africa Open Data and Internet Research Foundation (Co-Founder)*
E-government, Internet Governance & Open Government Data and platforms
Specialist
ICANN Fellow / UN IGF MAG Member, ISOC Member,
Freedom Online Coalition (FOC) Member, Diplo Foundation Member,
OGP Open Data WG Member, GODAN Member.
National SDG's data Roadmaps Advisory Board Member, Ghana
National Secretariat Manager, IT Association of Ghana (ITAG)
Ghana Energy Data Task-force Member
Ghana OGP Advisory Committee Member
Email: wisdom.dk at gmail.com
Skype: wisdom_dk
facebook: Kwasi Wisdom
Linkdin: Kwasi Wisdom


On Tue, Aug 21, 2018 at 10:06 PM sivasubramanian muthusamy <
6.internet at gmail.com> wrote:

> Hello,
>
> (I sent the following message as comments on an epdp Report on Temporary
> Specification for gTLD registration data. But this is more of a comment on
> Data Protection regulation in general, so copied to the Internet Policy
> list)
>
> In Data Protection terminology, "Personal data" is more of a generic or
> 'loose' term that applies both to individual and business data. In DNS,
> Registration Data does not make any distinction between individual
> registrants and business registrants whose web space is for some form of
> (e)commerce activity. While there is a need for privacy of personal data of
> individual registrants, the opposite, need for greater transparency, may be
> required in the case of data related to any form of commercial, perhaps
> even Government and non Government web spaces.
>
> The rationale is that the online presence of small and large businesses
> alike are often short of information pertaining to physical location, names
> of functionaries, officials or the person in-charge.  A Phone company does
> not have listed phone number, an email company does not have a visible
> email addresses ! This is part of a pattern of multiple players transacting
> business online from a carefully guarded climate of "do-not-reply" email
> accounts, phones without a call back number, answering machines,
> conveniently assisted by BPO intermediaries who keep the consumer at an
> unapproachable distance. A hotel reservation portal or a small shop online
> transacts business online without allowing the consumer the ability to
> reach them for various reasons.
>
> Limiting access to Registration data indiscriminately and only for
> 'legitimate uses' may perpetuate this trend of inaccessibility of business
> entities,  widen the disconnect between business and consumer with the
> effect that multiple commercial registrants would continue to design their
> online presence to transact business without due accountability. The
> section  4.4.2, Lawfulness & Purposes of Processing gTLD Registration
> Data as written, might have the unintended consequence of perpetuating
> unhealthy protection for segments that actually require information
> disclosure and transparency. How the DNS will make such a distinction is
> another question.
>
> Does GDPR make such a distinction?
>
> Sivasubramanian M
>
> Sivasubramanian M <https://www.facebook.com/sivasubramanian.muthusamy>
> twitter.com/shivaindia
> _______________________________________________
> To manage your ISOC subscriptions or unsubscribe,
> please log into the ISOC Member Portal:
> https://portal.isoc.org/
> Then choose Interests & Subscriptions from the My Account menu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/at-large/attachments/20180821/e480b6fe/attachment-0001.html>