GDPR and Payments

(In a rush? TL;DR scroll down below for an infographic on essential GDPR facts). Unless you've been taking part in a media blackout recently or simply haven't noticed the deluge of emails in your inbox from companies changing their terms of service and privacy policies, then you'll know that the EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018.

Time to cut through the noise; what is the GDPR? 

The GDPR is a legal framework that sets out principles for data management and the rights of individuals covered by that framework across Europe. If you have customers anywhere in the EU, you are obligated to comply with the GDPR payment regulations, no matter where your business is based. 

The GDPR applies to personal data, meaning any information relating to an identified or identifiable person. It is composed of guidelines for the collection and processing of individuals’ personal information, when processing is conducted by EU-based data controllers or processors, or companies processing EU data subjects' information, so as to offer them services or to monitor their behavior within the EU. 

It’s all about protecting individuals’ privacy, allowing them to exercise ownership of their personal data and make decisions about how their personal data is used by those who collected it. Organizations processing your data must have a legal basis to do so. In addition, they must follow specific requirements, such as providing you with information about how they use, share and secure your data, while making sure those activities take place in a fair manner and for the purposes your information was collected.

Key changes introduced by the GDPR

There are four core areas that will see the biggest changes:

  • Wider territorial scope.
  • Increased accountability requirements (which we will get onto later).
  • Fines for non-compliance are up to €20 million or 4% of worldwide turnover.
  • Protection of personal data strengthened and the rights of the individual widened.

Speaking of the rights of the individual, this is where it gets really interesting -  there are eight areas where these have specifically been bolstered from the original EU Data Protection Directive (the legislation being replaced). As individuals, you, me and everybody else in the EU will by law be given certain rights with respect to our personal data. Here are a few examples:

  • The right to be informed - individuals have the right to be informed about the collection and use of their personal data, with organizations to provide information about the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with.
  • The right of access - this allows users to receive a copy of their personal data and to check that it is processed lawfully.
  • The right to rectification - enables you to have any incomplete or inaccurate data held about you corrected.
  • The right to erasure - enables you to ask organizations to delete or remove personal data where there is no good reason to continue processing your data.
  • The right to data portability - you can request the transfer of your personal data to you or to a third party.

What does the GDPR mean for Checkout.com and the payments industry?

Payments data, such as your credit or debit card details, your contact details and what you bought, is personal data. Checkout.com provides payments processing and merchant acquiring services to e-commerce merchants. This means that processing personal data is at the core of our operations. To us, privacy is above all else.

At Checkout.com we enhanced our privacy program to follow the new GDPR framework. These are some of the key measures we have taken: 

  • We mapped our data processing activities, including the purpose for processing personal data and detailed descriptions of the activities data processors are conducting on our behalf.
  • We adopted new policies governing data protection, data retention and our response in the event of a data breach.
  • We continuously embed Privacy by Design principles into our product development cycle and internal processes. 

We’re entirely committed to ensuring that our personal data processing activities are compliant, with specific attention given to data processing across the EU.

Checkout.com and Privacy by Design

One of the key elements of the GDPR is Privacy by Design. We wanted to share details about how we prepared to implement this element in our operation, as a sample of our approach to the GDPR. 

What is Privacy by Design? 

Privacy by Design is an approach to operationalizing privacy within systems, products and business process. At its core, Privacy by Design means promoting user privacy in every stage of product and program development. 

At Checkout.com we don’t take this lightly. Privacy by Design is a key pillar of our ongoing GDPR and data protection compliance, as it affects how we improve existing systems and procedures and how we create new ones.

We implemented our Privacy by Design program while following these GDPR principles:

  • Data minimization - personal information must be relevant and limited to what is necessary in relation to the purposes for which it is being processed.
  • Storage limitation - personal information must be kept in a manner which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information is processed.
  • Security and confidentiality - personal information must be processed in a manner that ensures the appropriate level of security.
  • Data subject rights - top-of-mind when obtaining, sharing, amending, deleting and retrieving personal data. 

Accountability  

Arguably one of the most important aspects of the GDPR is the accountability approach and what this means moving forward. In a nutshell, this principle highlights that a data controller must be able to showcase that all processing is compliant with the data protection policies. 

How is Checkout.com accountable to the GDPR?  

We have documents in place that outline the technical and organizational measures put in place to adhere to the GDPR. 

Transparency and collaboration are the cornerstones of our business. From our product to engineering and sales teams, we’ve worked together to ensure that the changes the GDPR will bring are being reflected in daily activities and are communicated effectively, not just externally but also internally within our business. 

Our new Privacy Policy is another way to understand a bit more about our approach to personal data and how we interface with the GDPR and payments. 

What happens next?

25 May 2018 signifies a new beginning. The GDPR is not a one-off legislation. Instead, it is about continuous improvement and respecting the privacy rights of individuals across all business sectors. At the end of the day, the GDPR is vital given the digital era we live in and the importance of privacy and our rights when it comes to our data. 

As promised, below is an infographic with seven essential GDPR facts:

If you would like more information about the steps that Checkout.com has taken to prepare for the GDPR, then get in touch with your account manager or another member of the team today.

Keep up-to-date with all things payments

Written on May 20, 2018 by

author image

Maor Fishman

Legal Counsel and Data Protection Officer

Keep up-to-date with all things payments