If You’re a High-Risk Merchant, You’ll Want to Read This.
What is Data Protection?
GDPR is a replacement of the EU’s 1995 Data Protection Directive. The original law set minimum standards for collecting and processing data for businesses in the EU. In 1995, few people predicted how much customer data would be available to companies. GDPR aims to strengthen these rules and consumers’ rights to demand that companies reveal or even delete the data they’ve collected on them. Overall, it’s a big win for consumers and is long overdue. On the other side of the equation, businesses will need to be more careful with their customer data and how they share it.
Does GDPR Apply to You?
Do you have customers in the EU? If the answer is yes, then the GDPR affects you. Companies with European headquarters are not the only ones affected by GDPR. If your business transacts with EU consumers, you’re still affected (but not all in the same way). The more personal data collected, the more the law will impact your business. For example, if you run an e-commerce store that relies on consumer data to target advertisements and develop products, you’re going to see significant changes in the permissions and rights you’ll have to use this data and failure to comply could be costly (more on this later).
Here’s What You Should Do
Non-compliance will bring hefty fines. Therefore, make sure that your business is operating within the rules of the GDPR. To better illustrate this point, here’s an example of how a company can ensure it complies.
Are You Already PCI DSS Compliant?
If you already fall within PCI DSS compliance, you might already be closer to being compliant with GDPR. PCI DSS deals with mainly how your organization handles customers’ payment information. On the other hand, GDPR deals with how you’ll protect consumer information like names, dates of birth, etc. If you already have systems in place for PCI DSS, your infrastructure should be there to store other data securely.
Basically, if any customer’s name, date of birth, address, email, bank details, etc. is misused or used without the customer’s consent, it is the business’ responsibility and obligation to inform your customers of the breach within 72 hours. All customers that were or could have been affected must be sent a breach notification message. Before the GDPR, organizations only issued press releases or posted about the breach on social media. The problem is that affected customers might not have seen these, requiring the need for one-on-one communication.
You must also advise the relevant regulatory body about it so they can take steps to lessen any further damage. For a full list of supervising authorities, here is a handy guide listing the authority for many different countries.
Remember the hefty fines we referenced earlier? Well, they haven’t gone anywhere. Failing to comply with GDPR can come with a cost that most businesses can’t afford. Your business could face a 10 million euro fine or a fine worth 4% of the organization’s annual global turnover, depending on the size of your business.
Regulatory bodies will determine the fine based on the severity of the offence and whether the business took their data protection efforts seriously. If found liable of a breach, you could go out of business.
Here’s what you have to keep in mind:
- Users now have more control over how you use their data. They can also legally hold companies accountable.
- Protecting your customer’s data is imperative, and you must implement systems to protect their data from breaches. You also need to inform them of how you use or may use their data in the future.
- Failing to comply with GDPR can cost you millions. Therefore, merchants need to take every step possible to protect and secure users’ data while remaining fully transparent.
Let Us Help
Contact DirectPayNet today for an expert consultation on data protection compliance and how it might affect your business. Ask us about outsourced management of your merchant account needs. Our team is ready to help!