Previous ArticleCard payment fees: Brussels ban could put up pricesNext ArticleOpen banking: the quick guide for merchants

GDPR is coming

It’s not the easiest piece of legislation to fully comprehend, but the crux of the GDPR is that it significantly increases accountability for any organisation handling personal data.

At Paysafe, we’ve been looking at the core European General Data Protection Regulation (GDPR), that will be coming into effect in May. It is the most significant change to data protection law in Europe since the 1995 European Data Protection Directive. 

It’s not the easiest piece of legislation to fully comprehend, but the simplist terms, the crux of the GDPR is that it significantly increases accountability for any organisation handling personal data. 

Here are six key points that your business ought to consider when preparing for this new data regulation.

Key changes

  • Provide detailed privacy notices to customers
  • Clear justification for the processing of customer data 
  • Enhanced Rights for individuals in relation to objecting to how their data is being processed and rights of access to their data 
  • Rights for customer compensation and litigation
  • Mandatory data breach requirements requiring breaches to be reported to the Regulator within 72 hours 

Increased Regulatory powers — businesses may have to pay severe penalties for non-compliance with GDPR requirements Substantial fines for data breaches up to 4% of total worldwide revenue or €20m, whichever is the higher. 

Don’t get caught out

According to Gartner, more than 50% of companies affected by GDPR will not be fully compliant with the requirements by the end of 2018 and place themselves at substantial risk of regulatory action across Europe. Given the risk of monetary fines, it’s surprising that businesses aren't further along with their preparations. 

Nobody likes to be on the receiving end of “I told you so”. Consider that the fine for the TalkTalk breach was £400,000 – just 0.02% of reported headline revenue. Under the forthcoming GDPR rules, that could be nearly £72m. 

There are many exhaustive breakdowns of GDPR requirements available on the web and we don’t intend to repeat them here. But, we particularly liked this resource from Baker McKenzie. It provides lots of readable guidance for the non-lawyer:

“It’s worth spending some time thinking about the kind of transformation that organisations need to go through to get there. In particular, it's worthwhile thinking about where organisations really need to focus their efforts as the May 2018 deadline gets closer” – Baker McKenzie. 

Step up technology and supply chain

You need very specific technology and data management skills, both to define and manage the operational requirements and to define a data strategy implementation within a business. From this perspective, Gartner's predicted compliance figures of 50% may actually be too optimistic: the technical challenges are enormous, even for relatively small organisations. Just knowing where a company’s data is located, backed up, viewed and accessed globally – not just by the organisation itself, but by its suppliers too – is a huge and complex exercise in itself. 

The good news is large projects can be broken down into quick wins. If you don’t know where to start, begin with considering the issues that are raised when consumers request that their data be deleted, and the questions that must be answered before you can begin to do it:

  • Do you have a data retention and disposal strategy that covers all locations (including your outsourced suppliers)?
  • Is the disaster recover/BCM plan in place to ensure accurate data is available at all times?
  • How do you manage and reconcile time stamps to ensure there’s one master record?

We’ve been developing remediation programmes for some time, from both a legal and business perspective. We are committed to meeting our GDPR requirements, which will help us continue to support our customers, merchants and payment service partners across the Paysafe ecosystem.