Home / Blogs

Have You Had Your GDPR Training Today?

The suggestion was recently put to the GNSO Council: anyone who becomes a member of a proposed new Expedited Policy Development Process (EPDP) must be able to demonstrate that they have basic knowledge of privacy and data protection. This makes a lot of sense: Would you trust a lawyer who had never been to law school? Or a doctor who had never studied medicine? Of course not.

Recently I asked members of our ICANN Community: have you had any GDPR training, classes, or certification? Among many good people from across the ICANN community, the answer was “No.” This is despite the fact that these very people—intellectual property attorneys, business representatives, members of the ICANN Board, and ICANN staff—are ultimately charged with deciding the fate of the Whois and of the GDPR.

The GDPR is not a matter of consensus, it’s a matter of compliance, and that starts with a solid understanding of the law. This is easy to do: there are hundreds of courses on the GDPR being offered around the world. Everyone is teaching the fundamental principles and legal definitions. The complexity of the subject matter is not easy but it is important: the GDPR has 11 chapters, 99 articles, 26 definitions, six principles relating to the processing of personal data, and four conditions for consent. Do you know them? We all should!

It’s critical to our work, analysis, decisions, and assessments of risk for us to understand the law. Neutral experts can help us. For the last year, General Counsels of large multinational corporations, including AMEX and IBM, have “sat down” (virtually) with counsel, data protection officers, and business leaders to share insights into the GDPR’s requirements and data flows in and out of the EU. In the US, Department of Commerce and Federal Trademark Commission officials have been on innumerable panels talking about the EU-US Privacy Shield and ways to become “self-certified” to meet the requirements of the Privacy Shield and have one’s company continue to receive data from the EU.

Alas, I’ve never seen other ICANNers at these meetings, almost as if it’s a badge of honor to talk about complex legal matters not studied closely. We demand a high standard of knowledge from those who want to participate on the technical side of ICANN’s work; we need an equally high standard on the GDPR side as well.

The International Association of Privacy Professional (IAPP) presented an excellent initial overview discussion of GDPR principles and legal requirements at the International Trademark Association last month in Seattle. IAPP writes: “Recent research has established that it takes more than 20 hours of training just to acquire a workable understanding of the GDPR… Our GDPR Ready training courses are recognized as the most effective way to prepare for these all-important roles.” So let’s roll up our sleeves and do it!

Let’s get past our various views of what’s good and bad about the GDPR and come to a clear and informed understanding of the law. Let’s require every member of the upcoming EPDP—members of the community, staff AND consultants—to complete neutral GDPR Training of the type IAPP identified above—20 hours for “workable understanding”—before coming onto the EPDP. This knowledge will get us past the great obstacle of the RDS PDP Working Group, and the “that’s not the law” responses with very differing claims of what the law requires. This training will give everyone participating in the EPDP a common understanding of the legal requirements of the GDPR—based on a neutral expert’s training (something he/she has shared with hundreds or thousands of people around the world already).

To quote every law professor I’ve ever known: ignorance of the law is no excuse :-).

EPDP RECOMMENDATION: require the International Association of Privacy Professional’s GDPR Training of 20 hours (or its equivalent) as an upfront and mandatory requirement for all ICANN members, staff and consultants on the EPDP on WHOIS and GDPR as they step onto the EPDP. ICANN should pay for this training (available online) or hire IAPP (or equivalent) to come and train the full EPDP as part of initial activities of the expedited working group.

Benefit: knowledge and expertise. Time saved for real work and discussion: infinite!

By Kathy Kleiman, American University Washington College of Law

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC