GDPR And Taking Online Payments: Are You Ready For New Legislation?

For organisations that take online payments, or handle consumer data, the clock is ticking on getting ready for GDPR adoption. After years of negotiation, the General Data Protection Regulation (GDPR) will come into force in just over a year, on 25 May 2018. GDPR general data protection

Despite Brexit, the government has made it clear that GDPR will affect UK businesses and any organisations that process, manage or store consumer data. Even after we have potentially removed EU laws from within British statutes, GDPR is going to remain the new benchmark for data handling and privacy for years to come.

Information Commissioner, Elizabeth Denham, confirmed government support for implementing GDPR. In an article in Computer Weekly, she said “The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.”

Karen Bradley, secretary of state for culture, media and sport, also supports GDPR adoption: “We will be members of the EU in 2018, and therefore it would be expected and quite normal for us to opt into the GDPR . . . [to ensure British business are] maintaining high levels of protection for members of the public.”

How to Prepare for GDPR

#1: Review Current Processes

Outsourcing data collection and processing, especially when it comes to payments, is no longer a way to absolve an organisation of responsibility. Many organisations outsource marketing, payment processing and IT. Every touchpoint in the supply chain can involve processing, storing and sharing sensitive consumer data.

Going forward, GDPR requires that the company collecting and using the data is confident in the security of every provider, including third-party cloud services. It is no longer a case of out of sight, out of mind. Companies and providers will need to share more information about internal processes, to ensure everyone is compliant with the new legislation.

Failure to provide sufficient protection through the supply could result in much larger fines than current legislation. When this comes into force, fines could be as high as €20 million, or 4% of annual worldwide turnover, for serious breaches, depending on which is the larger amount.

#2: Privacy-by-Design

When a company takes payments online, there is an explicit ask for sensitive information, from card details to an email address. When GDPR comes into force this ask, whilst already explicit, needs to come with a clear statement about where the data goes, who is responsible for storing it and processing the data.

Every company in this value chain needs to have processes that offer rigid protection. And then the end-user needs to be able to confidently give their consent, knowing that they are handing over personal data that can protect it. Consent can also be withdrawn at any time, which means reconsidering auto-renewal and subscription payment processes.

#3: Easy Access to Data

Consumers need to have quicker access to personal data than current legislation allows. Once GDPR is implemented, organisations need to make this data available for download, “‘where possible’ and ‘without undue delay’”, according to security analysts.

It may also be necessary to outline the data chain to consumers, showing them who else has handled the data and why it was necessary.

#4: Revise Data Breach Notification Procedures

Organisations will need to respond rapidly once they are aware of a data breach. Whenever possible, the data subject should be told within 72 hours, with a detailed explanation as to the cause of any delay.

Some of the practical burden of this was reduced when the language was changed to reflect that breaches will only need reporting when they represent a “high risk” to a data subjects “rights and freedoms.” For example, if a payment data breach results in full card numbers, addresses, and security details being taken. Although this does reduce the burden, companies and 3rd parties will need to improve procedures – including running mock breaches with security experts – to prepare for a breach.

GDPR adoption is not going to be easy. It will take time and cost money. Any company that processes payments needs to make sure they are ready before the end of 2017.

If you are considering expanding overseas and take online payments from global customers, download our whitepaper on cross-border trade. Click here to get your copy of Ready for Cross-Border Ecommerce.

_ _ _