data protection EU

Should You Be Worried About General Data Protection Regulation?

If You’re a High-Risk Merchant, You’ll Want to Read This.

ShareHIDE

Europe’s General Data Protection Regulation (GDPR) law went into effect on May 25th, 2018 in hopes of changing the way businesses gather customer data and how they use it. You’ve probably seen numerous consumer privacy emails clogging up your inbox in the past few weeks. While these “We’ve updated our privacy policy” emails are annoying, they’re there for a reason. Should merchants be worried about the EU’s GDPR? Will the law change the way you do business? Let’s discuss.

 

What is Data Protection?

GDPR is a replacement of the EU’s 1995 Data Protection Directive.  The original law set minimum standards for collecting and processing data for businesses in the EU. In 1995, few people predicted how much customer data would be available to companies.  GDPR aims to strengthen these rules and consumers’ rights to demand that companies reveal or even delete the data they’ve collected on them. Overall, it’s a big win for consumers and is long overdue.  On the other side of the equation, businesses will need to be more careful with their customer data and how they share it.

 

Does GDPR Apply to You?

Do you have customers in the EU? If the answer is yes, then the GDPR affects you. Companies with European headquarters are not the only ones affected by GDPR. If your business transacts with EU consumers, you’re still affected (but not all in the same way). The more personal data collected, the more the law will impact your business. For example, if you run an e-commerce store that relies on consumer data to target advertisements and develop products, you’re going to see significant changes in the permissions and rights you’ll have to use this data and failure to comply could be costly (more on this later).

 

Here’s What You Should Do

Non-compliance will bring hefty fines. Therefore, make sure that your business is operating within the rules of the GDPR. To better illustrate this point, here’s an example of how a company can ensure it complies.

An online business coach offers customers an opportunity if they sign up for their course. Because customer names and email addresses are being collected, the coach is responsible for the data security in addition to any other partners with access to the information. They must clearly disclose how the data will be used in their privacy policy (if they later sell the email list to another party, for example). Additionally, users must be informed if the coach’s privacy policy changes in the future. If a breach occurs, the coach must immediately send a breach notification to all users affected to explain what happened along with clear steps consumers should take to reduce the damage.

 

data protection GDPR

Are You Already PCI DSS Compliant?

If you already fall within PCI DSS compliance, you might already be closer to being compliant with GDPR. PCI DSS deals with mainly how your organization handles customers’ payment information. On the other hand, GDPR deals with how you’ll protect consumer information like names, dates of birth, etc. If you already have systems in place for PCI DSS, your infrastructure should be there to store other data securely.

 

Your Obligations

Basically, if any customer’s name, date of birth, address, email, bank details, etc. is misused or used without the customer’s consent, it is the business’ responsibility and obligation to inform your customers of the breach within 72 hours. All customers that were or could have been affected must be sent a breach notification message. Before the GDPR, organizations only issued press releases or posted about the breach on social media. The problem is that affected customers might not have seen these, requiring the need for one-on-one communication.

You must also advise the relevant regulatory body about it so they can take steps to lessen any further damage. For a full list of supervising authorities, here is a handy guide listing the authority for many different countries.

Remember the hefty fines we referenced earlier? Well, they haven’t gone anywhere. Failing to comply with GDPR can come with a cost that most businesses can’t afford. Your business could face a 10 million euro fine or a fine worth 4% of the organization’s annual global turnover, depending on the size of your business.

Regulatory bodies will determine the fine based on the severity of the offence and whether the business took their data protection efforts seriously. If found liable of a breach, you could go out of business.

 

The Takeaway

Here’s what you have to keep in mind:

  • Users now have more control over how you use their data. They can also legally hold companies accountable.
  • Protecting your customer’s data is imperative, and you must implement systems to protect their data from breaches. You also need to inform them of how you use or may use their data in the future.
  • Failing to comply with GDPR can cost you millions. Therefore, merchants need to take every step possible to protect and secure users’ data while remaining fully transparent.

 

Let Us Help

Contact DirectPayNet today for an expert consultation on data protection compliance and how it might affect your business. Ask us about outsourced management of your merchant account needs. Our team is ready to help!

About the author

As President of DirectPayNet, I make it my mission to help merchants find the best payment solutions for their online business, especially if they are categorized as high-risk merchants. I help setup localized payments modes and have tons of other tricks to increase sales! Prior to starting DirectPayNet, I was a Director at MANSEF Inc. (now known as MindGeek), where I led a team dedicated to managing merchant accounts for hundreds of product lines as well as customer service and secondary revenue sources. I am an avid traveler, conference speaker and love to attend any event that allows me to learn about technology. I am fascinated by anything related to digital currency especially Bitcoin and the Blockchain.