Are you ready for the GDPR? It comes into force on 25 May. The government has been busy issuing warnings for businesses to make sure their data handling is compliant with the new legislation or face the risk of potentially hefty fines.
Despite this, surveys show that fewer than one in ten businesses are fully prepared for the new legislation. This is a problem, because in many cases the changes required are complex and time consuming.
At PPRO, we’ve been preparing our systems and procedures for the GDPR. Based on that experience, here’s our six-step guide to getting ready for the GDPR.
1. Carry out an impact assessment and gap analysis
The GDPR introduces changes to the way data handling is policed.
Key changes include:
• You must gain explicit consent to store and process data.
• Data can only be used for the purpose you gave them when the consumer opted in.
• Once that purpose has been fulfilled, you must delete the customer’s data.
• You may not process the data of under-16s without obtaining affirmative parental consent beforehand.
• Customers must be able to easily revoke consent at any time.
• You must notify the regulator within 72 hours of discovering a data breach.
• Large data controllers must appoint a data protection officer.
Even from this partial list, it’s clear that there are many ways in which different parts of any business could be impacted by the GDPR. To ensure compliance, you need to perform a thorough impact assessment and gap analysis, identifying all direct and indirect consumer touchpoints and the data each generates.
2. Understand the concept of lawful basis
Article 6 (1) of the GDPR provides that collecting and processing consumer data must be undertaken lawfully. It says that data processing is lawful if one of the following applies:
1. The owner of the data has consented.
2. Processing is necessary for the fulfilment of a contract with the consumer.
3. Processing is necessary to comply with a legal obligation.
4. Processing is necessary to protect the interests of the consumer or another person.
5. Processing is necessary to a task carried out in the public interest
6. The data processor, or a third party, is pursuing a legitimate interest and is not in any other way infringing the subject’s rights under data-protection law.
These are all fairly self-explanatory, except the last one. Broadly speaking, this covers circumstances in which there are minimal privacy implications to the data processing and it is in the interests of a person, group of people, or society that the data is processed.
You cannot use the legitimate interest justification to cover all data processing. But holding information for fraud prevention purposes could be classed as a legitimate interest, making this basis particularly relevant for payment service providers. Companies using the legitimate interest basis must be able to justify it with close reference to data-protection law. The UK Information Commissioner has a good guide to the subject. Once you have identified all the customer touchpoints that generate data, you need to make sure that all of that data is covered by one of these lawful bases.
3. Understand consent
The GDPR sets a high standard for establishing consent. Individuals must have meaningful control over whether to opt in to data processing or not. Any businesses practicing so-called ‘dark patterns’ — UX tricks designed to manipulate users into signing up — need to stop now or risk falling foul of the new law.
To be a valid justification for lawful basis, consent to process data must be freely given, informed, and unambiguous. The subject whose data is being processed must give a clear affirmative response to some form of the question: ‘May we process your data?’ It should be obvious why the data processor wishes to obtain the data and what it will do with it.
4. Check your data retention regime
You should only hold data for as long as you need it to fulfil the purpose for which you originally collected it. So, for instance, if you collect consumer data to process payments you would not be allowed to keep the data for longer than necessary and then use it to target the consumer with personalised marketing. Your data retention policy must adhere to this principal. It must also allow for timely access to a person’s data, should he or she request it.
5. Take steps to secure data at rest and in transit
To comply with the GDPR, data controllers and processors must know their data (another important function of the data audit). They must have done a thorough risk assessment and put in place the necessary human, procedural and technical safeguards to protect the data they hold from against any risks identified.
Article 32 of the GDPR provides examples of the kinds of technical measures a company might take to secure its data, for instance pseudonymisation or encryption. But in the final analysis, a company must do whatever it takes to implement a reasonable level of security.
You must also define adequate response procedures. These must allow you to detect a breach, re-secure it, and make personal data available once more to relevant parties, principally its owners.
Once you discover a breach, you have 72 hours to report it to your national data-protection authority.
6. Make sure all relevant employees have had GDPR training
The best technical and procedural protections in the world won’t help, if your staff carry on acting as if the GDPR had never happened. You need to make sure that all staff — and certainly all staff involved in data collection and processing — are aware of the law and its implications.
Payment Service Providers are exposed to the GDPR in ways that many companies are not. For instance, PSPs handle data passed to them by their merchants and they may also pass data to third-party providers (such as PPRO). In each case, PSPs need to understand the implications of each relationship. Who is responsible for establishing consent? Who is the data controller? How long should such data be held and who is responsible for determining when the purpose for which the data was collected has been fulfilled?
The risks of non-compliance
The penalties for non-compliance with the GDPR include fines of up to €20 million or 4% annual global turnover – whichever is higher. A study in 2017 found that the previous years’ data-protection penalties in the UK would have been 79 times higher if the GDPR had already been in place. And data-protection authorities in the EU have already shown themselves willing to levy significant fines.