The rules and regulations relating to how merchants and retailers capture, store, share and process customer and staff data are about to change. At the start of this year the European Commission revealed its new General Data Protection Regulation (GDPR), which aims to harmonise the current data protection laws in place across EU member states.
Directly applicable to all EU member states, the GDPR represents the most significant change in data protection legislation seen in the past 20 years. Creating a uniform approach to data protection across Europe, EU countries will not have the freedom to make choices – the GDPR provisions will automatically become part of the national legal system of each member state.
What’s more, GDPR will be applicable to businesses based outside of Europe looking to supply goods and services to European citizens.
Due for implementation in 2018, organisations have just two years to design data protection into the way they collect, store and process personal data – ensuring that every customer and employee record is managed within a lifecycle defined by policies.
In addition, GDPR contains a mandatory requirement to notify data breaches to national regulators within 72 hours – or less, in the event of catastrophic events.
Clearly, GDPR has far reaching implications for merchants, retailers and their financial services partners. And the consequences of non-compliance will be significant; the proposed punishing fine structure currently features a maximum fine of up to €20 million or 4% of global annual turnover.
GDPR – a great deal for consumers
Designed to empower European citizens, GDPR aims to bring Europe’s ageing rules in line with the modern technological era, ushering in an era of greater accountability alongside significantly increased transparency and controls for individuals to exercise management of their data.
Replacing a patchwork quilt of 28 EU member states’ laws with a single unifying data protection law, the GDPR represents a significant step forward for consumers, who will at last enjoy the same rights regardless of where in the EU they are based.
And it’s a move that has been long awaited by consumers; according to the European Commission, a recent survey revealed that more than 90% of Europeans says they want the same data protection rights across the EU.
Giving consumers greater control of their data, GDPR will make it easier for individuals to access and manage their data, know when their data has been ‘hacked’, and exercise the ‘right to be forgotten’.
In other words, it will give consumers who share their personal data with an organisation the confidence of knowing that they have a right to privacy by default – and must explicitly give permission for their data to be processed.
GDPR – implications for multichannel retail and payment processing
Let’s be clear. It will be far easier for businesses with EU operations to comply with one set of rules rather than trying to navigate the laws of 28 different countries. That said, mindsets, processes – and most importantly – IT policies will need to change.
The GDPR places stringent accountability obligations on data controllers to demonstrate compliance, which includes implementing data protection by design and by default (data minimisation).
Companies with more than 250 employees will need to appoint a data protection officer who will be responsible for implementing technical and organisational measures to address data protection matters.
These officers will also be responsible for creating the compliance reports that will required as part of a company’s annual report.
All this implies increased effort and cost for the industry in regard to the pressing need to build systems and products around privacy from the ground up. Many companies will need to re-examine their processes and procedures in order to ensure compliance.
This includes payment service providers who, while regulated by stringent PCI and other data protection measures, will need to assess if they are compliant with GDPR requirements. Many providers are already evaluating value added data protection services in a bid to reduce the investment efforts of merchants.
Other ways in which the industry can support customers includes enabling joint obligations and liabilities for data controllers and data processors, and implementing mandatory policies and procedures for testing data breach plans.
The time for action is now
While GDPR has been long anticipated, the requirements of GDPR have now been agreed and companies that delay assessing their policies, procedures, technologies, and staff training requirements risk investing in resources and services that will become obsolete when GDPR comes into force in early 2018.
Merchants, retailers and payment partners should start preparing, and these five practical steps should help to kick off this process:
Make GDPR a board-level task
Ebracing the concept of privacy by design begins in the boardroom. Clear policies will need to be in place to prove your organisation meets the required standards and ensure that privacy by design requirements are included in all make and buy strategies going forward.
Prepare for data security breaches
Put in place clear policies and well practice procedures to ensure you can react quickly to any data breach and notify in time when required. Carefully review your organisation’s incident detection, management and response capabilities.
Tackle ‘rights’ and ‘consent’ head on
Check your privacy notices and policies are transparent and easily accessible. Develop a strategy to fulfil a consumer’s right to be forgotten, right to erasure, and right to data portability. If you obtain data processing services from a third party, determine and document your respective responsibilities.
Appoint a data protection officer
if your organisation employs over 250 employees, think now about who is qualified to fulfil the DPO role – or if you will need to recruit and individual for the post with the required expert knowledge of data protection law and practice to advise on compliance with data protection rules and undertake required impact assessments.
Implement regular training for all staff to generate awareness and understanding of GDPR and its requirements; the DPO will be responsible for assigning data protection training to staff.
Sourced from Andre Malinowski, head of international business, Computop