GDPR – Data Protection Gets Serious
GDPR – Data Protection Gets Serious
On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR)
The GDPR will have considerable impact on all companies that provide goods or services to Europe, regardless of the company’s location and in many ways differs significantly from existing European data protection laws.
Once the Regulation is published, companies will have just over 24 months to comply with the new Regulation or risk facing fines equal to 4% of the company’s annual worldwide turnover for non-compliance.
GDPR – Immediate Applicability
The GDPR replaces the current European data protection regime consisting of the 1995 Data Protection Directive and 28 national data protection laws. The GDPR will be directly applicable in every EU Member State, without the necessity of implementing national laws.
GDPR – Explicit Consent
The Regulation requires explicit consent to be given by individuals for processing their personal data. In the past, consent could be considered valid if obtained implicitly. Companies will need to move away from processes that rely upon consent as the default (e.g., pre-checked) option, whereby individuals must “opt-out” to withhold consent. Instead companies will now need to show that an individual expressly agreed to the processing of their personal data via an “opt-in” mechanism (e.g., by checking a box or performing some other intentional act) for it to be valid.
GDPR – Reporting of Data Breaches
Companies that experience significant data breaches will now be required to notify the relevant national data protection authorities and (in some cases) data subjects that such an incident occurred. This brings Europe closer in line with existing U.S. breach notification laws that require companies to inform various state regulators and/or law enforcement and/or data subjects if they experience a data breach.
GDPR – Data Portability
Data subjects must be able to transfer their data easily from one service provider to another. Companies should consider whether to modify how they collect and retain personal data to simplify data transfers.
GDPR – Data Processors Under Scrutiny
Third parties who process personal data on behalf of other companies (e.g., for invoicing, shipping, payment processing) will be required to comply with a number of specific data protection related obligations. Failure to meet these obligations as a data processor will result in sanctions for non-compliance.
GDPR – Data Protection Officer
Companies will have to appoint a Data Protection Officer(DPO) when they are, for example, processing sensitive data (health or financial information). The DPO will be required to report directly to senior management.
GDPR – Extra-territorial Reach
The GDPR will apply to companies established outside the EU that process personal data from or on behalf of European companies. Foreign companies will also be subject to the Regulation if they “target” European markets or individuals. This means that any online business that intentionally markets to Europeans, or engages in activities such as customer profiling, or expressly offers products or services to European consumers or entities is likely to fall within the scope of the GDPR.
GDPR – Greater Responsibility
The GDPR imposes greater responsibility and accountability on companies regarding how they control and process personal data.
GDPR – Harmonization
The entire EU will be subject to the GDPR. This means there will be a single set of rules governing data protection throughout the region, rather than differences from one State to the other, as is the case now with 28 different national data protection laws.
GDPR – One-Stop-Shop
Companies that have multiple locations or conduct operations in multiple European countries will have a single national data protection authority act as the lead regulator for any compliance or enforcement issues.
GDPR – Privacy By Design
Companies must consider ways to mitigate any risk of harm to data subjects throughout the process of designing new products or services. These new products or services should by default ensure that only minimal personal data is collected, used and retained. Companies may incorporate an approved certification mechanism to demonstrate compliance with such requirements.
GDPR – Privacy Impact Assessment
A Privacy Impact Assessment will become a mandatory pre-requisite before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation.
GDPR – Right To Be Forgotten
Data subjects have the unequivocal right to request that a company responsible for the collection and use of their personal data to delete it if there are no legitimate grounds for a company to retain it. This means that companies will need to carefully examine their statutory obligations to retain certain types of data, as well as their internal data retention policies to identify when and if it may delete personal data at the request of a data subject.
GDPR – Transparency
Companies will need to be more transparent about their privacy practices and policies. This means that online businesses in particular will need to enhance their website privacy policies to include much more detailed information. It goes without saying that any information provided in such policies will need to be written clearly and accurately reflect current company practices and procedures regarding the collection and processing of personal data.
GDPR – Stronger Enforcement
Non-compliance could lead to heavier sanctions. The GDPR enables regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the company for non-compliance.
YOU MIGHT ALSO LIKE
GDPR for Payments GDPR is an important EU wide regulatory mandate. It provides increased protection of individual privacy and gives individuals more control over the information they share. In our view GDPR is an important element of building a scalable data centric...read more
US Supreme Court repeal of PASPA On Monday, May 14, 2018, the Supreme Court of the United States held in the Murphy v. National Collegiate Athletic Association case that the federal Professional and Amateur Sports Protection Act (“PASPA”) violated the Tenth Amendment...read more
MasterCard introduces changes for subscription and card on file transactions that will help to significantly increase online merchant’s revenues Recurring (subscription) and returning (card on file) transactions are a growing part of online merchant revenue streams....read more
GROPAY'S 5 TIPS FOR THE HOLIDAY SEASON With all the preparations for the holiday, last week deadlines, the multitude of drinks, parties, last minute shopping as well as high expectations from family and friends, it is easy to get lost in this busy time before the...read more
THE PAYMENT CHALLENGES OF OTAs Who hasn’t used an online travel agency (OTA) in the last 12 months? They are an integral part of our lives and are part of a colossal $600 billion + a year online travel market. The OTA industry is at a juncture where it faces some...read more
Strong Customer Authentication (SCA) - Impact on Online Merchants The details around the European Banking Authority (EBA’s) proposal for Strong Customer Authentication (SCA) are final and the requirements for SCA are expected to come into force by February 2019. What...read more
Did Star Trek predict bitcoins and what does it mean for the future? If you are like me, a Star Trek fan then it’s interesting to note that many of the futuristic technologies and gadgets used on the show have come true or are close to coming true. This is likely more...read more
India Makes Important Advances in Biometric Payments In India it’s already possible for a consumer to authorise and authenticate a payment with their fingerprint or iris scan. As a largely cash based economy India has leapfrogged the use of Cards and Smart Phones for...read more
How do bitcoins impact online merchants? There’s a lot that has been said and written about bitcoins. They are the talk of the town these days. Undoubtedly bitcoins and related distributed ledger technologies will have a lasting impact on payments and financial...read more
PSD2 What Will Really Change? There has been a lot written about the PSD2 and rightly so, it is important regulation soon to be enacted into legislation that will bring significant innovation and change to electronic payments. But what will actually change in the day...read more
SafeCharge 3 Years After IPO In this post we look at SafeCharge, a medium sized payment processor and recently formed acquirer. We look at the following items; history, the IPO, recent performance, drivers of growth so far, recent strategic moves and execution...read more
The Stamina of Clinton Or Trump There have been lot of comments made by presidential candidate Donald Trump triggering a lot of media attention and public debates recently. Not the most notorious comment, but still one that made me pause in the work I was doing....read more
Authentication - Payer! Reveal Thyself EPC releases results of latest consultations for e-mandate today: what does this mean for authentication and your online business? Earlier today, 5 April 2016, the European Payments Council (EPC) announced the launch of the...read more
Fantasy Sports - It's All A Fantasy Fantasy Sports continue to gain popularity California recently introduced a bill to allow online sports betting. The motivation of this bill is believed to be the increasing popularity of fantasy sports. Although, the bill has yet...read more
Cash - Kicking The Habit There was an interesting article in The Economist recently about strikes on the London Underground (Tube). Such strikes are commonly believed to have a short term net cost to the economy. However the article quoted a study by Oxford and...read more
Data Protection - To Russia With Love Data Protection Russia Russia’s new data protection law came into effect on the 1st of September 2015. It’s now required by law to store personal details of Russian citizens on servers physically located in Russia. Copies of the...read more
I had a manager once who was a real mover and shaker in HR, brilliant in strategy and amazing to work with. Although visionary in his business outlook, there were some basic things that could really set him off when meeting new people: things like scruffy shoes. You...read more
Are Tattoos ever OK at work? I was HR Director at a large organization when I suddenly completely got caught by a curb ball thrown by one of my main stakeholders. “What is our HR policy on tattoos?” I had to take a two second pause before responding with a gigantic...read more
Wirecard with a market value of $ 5.2 billion made a $9 billion bid for Worldpay. Is this a serious bid? What will Wirecard do with Worldpay? Wirecard has extensive experience with M&A and also in acquiring companies larger than itself and making it a success; as many...read more
Changing jobs - How long should you stay in your current job? In this day and age, most employees are not even aware that organisations used to have tenure incentives like a fancy watch, a toaster or at least a bunch of flowers when you reached your 20 or 25 years of...read more
Distracted Living Psychology Today published an interesting blog on distracted living. Distracted living is where you miss out on much of your life because you generally aren’t paying attention, or your attention is so torn in many directions that your really do not...read more
Is Visa worried about Paypal? Visa recently published a report on Visa Checkout in which they stated that Visa Checkout delivers 17% better conversion than Paypal. One of the interesting points about this report is that Visa considers Paypal as enough of a threat to...read more
How do I deal with my company going through a merger or acquisition? Working in the payments sector? There is a big chance that your company is engaged in a merger, is taking over another company or is about to become an acquisition. 2014 was a big year for payments...read more