Everyone is talking about the General Data Protection Regulation (GDPR) that comes to force on 25 May 2018. PaymentsOp explains in plain words what GDPR is, who needs to be ready, which basic action your business should do right away.

Who needs to be GDPR complaint?

If you answer “YES” to one of these questions your company needs to be GDPR ready:

• Your business is established in the EU

• Your company is EU-based

• Your organization is from outside the EU and offersf goods or services to customers/users in the EU and processes personal data of European residents.

• Your company monitors behavior, handles data of users on the territory of EU

What GDPR is about?

General Data Protection Regulation aims to protect personal data of users/customers/employees and give them control over the personal data that they pass on to the companies. It defines how companies should handle personal data and who has the power to decide on how this data should be handled.

The GDPR includes the following rights for individuals:

• the right to be informed;

• the right of access;

• the right to rectification;

• the right to erasure;

• the right to restrict processing;

• the right to object;

• the right not to be subject to automated decision-making including profiling

• the right to data portability;

In plain words, the regulation requires businesses to inform the users how they handle personal data and what they use it for. The business is responsible for the way the data is stored and for the protection of the individuals’ personal data that entrusted their personal data to the business from data breaches.

What are the basic actions your business should do right away?

Raise awareness. Inform your staff about GDPR. Your legal, IT, Development, Compliance staff must be on board. However, the GDPR guidelines should be clear to every member of your staff, including customer service and sales representatives, HR, and any other member of staff that may come in touch with data of users or staff members that fall under GDPR regulation.

Map and Document. Every company is required to hold a list of all types of personal data it holds in order to comply with the GDPR: the source of the information, who the company shares data with, what the company does with it and how long the data is being kept. Ask yourself:

• Which personal data you hold in your systems?

• How do you store the data?

• Where did this data come from? (Users, 3rd party suppliers)

• Are you sharing the data with anyone? (Service provider, 3rd party tools/suppliers)

Review your Privacy Notice. GDPR requires to explain to the data subjects (users/ customers/employees) in an easy to understand and clear language how and why and for how long you’re storing and using their personal data. You need to inform them of their right to complain to the supervisory authority if they have a problem with the way that you’re handling their data.

Identify your lawful basis for data processing. As mentioned above, you need to be ready to explain why and how you are using/processing user data. The explanation needs to be clear. Therefore, you need to document your lawful basis for all the cases where you use user data. For example, fraud and risk checks, compliance verification, payment procedures etc’

Review consents. If you rely on users’ consent to process their data make sure your consents are GDPR complaint. For example, if you want the user to subscribe to your mailing list, GDPR requires prominent, clear, specific, and proactive opt-in to be shown to the user. Keep in mind that the user should be able to easily withdraw as well.

Review request procedures. Plan how you will handle requests regarding user data. In case a request is filed your business has one month to provide the response. In most cases you will have to provide the data free of charge.

In case you refuse a request, you must explain your reasons. The individual must be informed of the right to complain to the supervisory authority and to a judicial remedy.

Children data. Under GDPR users under the age of 16 will require consent from a person holding ‘parental responsibility’. Make sure your systems are able to verify users age, and enable parental / guardian consent.

Procedures to handle breach of personal data. The GDPR introduces a duty to report certain types of data breach to the LSA (lead supervisory authority), and in some cases, to individuals.

You should put procedures in place to effectively detect, report and investigate a personal data breach.

Privacy & data protection. The GDPR introduces the terms ‘data protection by design and by default’, and makes data protection an express legal requirement. In plain words, encrypt your users data, make sure it’s secure from the moment it enters your system. Do not let the data be exposed to general public without clear user consent.

Check if your organization needs a Designate a Data Protection Officer (DPO).

You must designate a DPO if you are:

• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

• an organisation that carries out the regular and systematic monitoring of individuals on a large scale;

• a public authority (except for courts acting in their judicial capacity);

If you have more in depth questions regarding the GDPR regulation, feel free to contatct us. PaymentsOp is always happy to share professional knowledge in the fields of Compliance, Payment Data Security, e-Payments, and Risk & Fraud Prevention.