On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. The data protection and privacy regulation was approved by the European Union (EU) Parliament back in 2016, after four years of debate.
Though the GDPR is intended to protect European citizens and applies to businesses that conduct business in Europe, American businesses that offer ecommerce credit card processing or that do business in Europe must also be aware of how the GDPR will affect them. Even brick-and-mortar businesses in the United States that might serve European customers at some point must be in GDPR compliance.
A survey by global analyst firm Ovum, commissioned by technology provider Intralinks, found that two-thirds of American companies believe they'll need to rethink their strategy in Europe because of the GDPR, and more than half of businesses believe they will be fined due to the GDPR. Here's more info on GDPR details and how they affect merchants in the United States.
What Is the GDPR?
The GDPR is a set of standards designed to “harmonize data privacy laws across Europe” so that consumers are better protected. Businesses that conduct transactions for EU citizens within EU member states must comply, and personal data of EU citizens must also be protected outside of the EU. The GDPR places the responsibility of a data breach on a business for failing to protect customers, not just the hacker.
Key points of the GDPR include:
- Regardless of where a company is located, it must protect the personal data of EU citizens. This means, any company that processes payment information for EU citizens must follow all GDPR standards.
- Companies that do not protect EU citizen data will be fined. Penalties may reach up to 4 percent of annual global turnover or €20 million, whichever amount is more. Actions that may constitute violation of the GDPR include: not retaining organized data records, not notifying the regulator and data subject about the breach; and not conducting an impact assessment. Any data breach must be reported within 72 hours to comply with GDPR standards.
- Data consent conditions must be clearly presented. EU citizens must know that they are consenting to share personal information with businesses and must be able to withdraw consent easily.
The type of data that is protected by GDPR includes IP addresses and cookies, which ecommerce sites may be accessing. Other types of privacy data the GDPR protects include: name, address, health data, ID numbers, and identifying information like sexual orientation, racial data, and political opinions.
How Should Your Business Prepare for the GDPR?
In order to meet GDPR compliance standards, some businesses, depending on size, must make sure that the following roles are accounted for: data controller, data processor, and data protection officer.
- The data controller defines how data is processed and defines the purposes for which it is processed. The data controller also coordinates compliance with outside contractors.
- The data processor may consist of more than one individual, which processes data. This can be internal employees or outsourcing firms.
- The data protection officer must manage GDPR compliance and data security strategy. A data protection officer must be designated if the company processes significant amounts of data of EU citizens.
Though the creation of these distinct roles is not required of small businesses, the data protection they accomplish must still be executed by any business that handles EU citizen data. To make sure all these responsibilities are covered, businesses must work with IT and security teams to outline how data is processed and stored and agree on how compliance will be executed. If one is not already in place, a data protection plan should be created, or reviewed and updated so that it meets GDPR requirements.
For businesses that implement ecommerce credit card processing, some ways to ensure GDPR adherence include:
- Create written contracts with third parties that have access to customer data regarding how that data is processed and used
- Make sure that giving consent for data use is an active choice, not a passive one — for example, pre-ticked boxes giving consent does not qualify as active consent
- Offer consumers the right to have their data deleted
- Consider erasing stored customer data before the deadline
- Use PCI-compliant merchant services to strengthen customer data protection
Data that is collected in order to process payment or to deliver the purchased product, such as collecting a name and address for the transaction, does not require explicit data consent. However, if your business plans on storing and using that data in the future, the EU customer must give consent for your business doing so first.
Keep Your Business Protected Amid GDPR Regulations
Because the GDPR's scope is fairly broad, and the standards are not legally in effect yet, how companies will be fined and punished for violating the regulation is yet to be seen. In addition to involving key stakeholders including business executives and IT in creating and implementing a strategy for the GDPR, it's wise to consult with an attorney to get business-specific recommendations. The fines that can be handed out are enough to cripple a small business.
Ultimately, the better protection your customers have, the better it is for your business. By taking GDOR regulations seriously and having standards in place for protection by the deadline, you protect both your customers and your business.
If you have questions about how to make sure your merchant services adhere to GDPR standards, contact North American Bancard online or call 877-840-1952.