General Data Protection Regulation (GDPR) has been around for a while now. But many businesses are still unsure of the steps they should be taking in relation to their payment data. This article will help you understand:
What GDPR is and why it’s good for businesses
What GDPR means for payment data (and how this differs from marketing data)
Consumer rights and how to comply
Privacy by design and privacy by default
The European Commission explains GDPR as: Privacy by design and privacy by default. This means that any action that involves processing personal data must be done with data protection and privacy built into every step. Once a product or service has been released, the strictest privacy settings must apply by default.
Ultimately, GDPR is about respect for people and was created to protect consumer privacy and customer data.
How GDPR simplifies cross-border business
In the EU, standards around protecting people’s personal data have always been high. GDPR standardised best practices in personal data protection across multiple countries. So data protection is now the same across all markets in the EU and customer data rights are consistently enforceable by law.
From a business perspective, this makes things more consistent, with clear guidance and less cross-border confusion. You won’t have to worry how different France is from Germany or that rights in Spain are different from rights in the Netherlands.
It’s also great for non-EU businesses selling to European consumers. You can identify how EU law matches your own local laws and identify equivalent laws, which helps keeps things simple.
What GDPR means for payment data
The legal basis for processing payment data can be different from processing marketing data. When you market to people, you need to get their consent. That’s pretty straightforward. But for payments, is it consent? Or is it something else?
Performance of a contract
There are several instances in which you can legally process data under GDPR. When it comes to payments, the obvious reason is the ‘performance of a contract’. For example: I need this information so I can provide you with the goods/service you’ve requested.
‘Performance of a contract’ doesn’t require the customer to repeatedly give consent to process their data. But the data can only be processed in accordance with an ongoing agreement (like a subscription service).
Dealing with consumer rights
GDPR categorises the data roles as follows:
The data subject: The consumer
The data controller: The business
The data processer: A third party processor instructed by the data controller (i.e. Adyen)
As a data controller, you’re responsible for the relationship with the data subject. You may instruct a third party (like Adyen) to process the data but it’s your job to set the purpose (or objectives) and legal basis for the processing.
All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one. Our DPA has been designed to protect you; it’s strongly aligned with payment processing so it proves you’re compliant with GDPR (from a payment perspective).
Data Subject Rights
There are some important details to undersatnd about Data Subject Rights, especially when it comes to payment data.
The Right of Access
Data subjects have the right to access all data a business holds about them at any time. This includes payment data, and a question we get a lot is: What do I do if a customer demands to see their personal data?
As a data processor, we’re under a legal obligation to assist the data controller to provide this information. We’ve made the procedure as simple as possible; just contact oursupport teamand provide a ‘PSP reference’.
One thing to bear in mind is that there’s a big risk around Data Subject Right Requests: They can be used for fraud. So you have to be careful to authenticate the customer before providing the information.
The Right to be Forgotten – what data you can (and can’t) delete
Another important Data Subject Right is the Right to be Forgotten. In a marketing context, this means deleting every record of the consumer and never contacting them again. But it’s not so clear-cut when it comes to payment data and there are situations when certain data can’t be revoked.
For example, in a product sales scenario where there are statutory warranties in place, there’s a chargeback period of up to 3.5 years for some card brands. Or, if your customer has an annual subscription that hasn’t been cancelled, you need to keep the customer data in order to continue billing.
It could be that your customer asks to be forgotten because they’re sick of marketing emails. Good customer service means listening to your customer, asking questions, and resolving the issue. This might just be to take them off your marketing mailing list.
It’s up to you to explain what information can be deleted and which must be held for a certain period of time for compliance reasons. But we’re here to help. We’ll assess the request against the 'performance of a contract' requirements and other obligations we have as a financial institution. We’ll make sure all valid information is provided within the timeframes dictated by GDPR.
GDPR is not a sprint, it’s a marathon. Regulators look at companies over time, so you always need to be prepared. Here are two important things to get right:
Make sure you have DPAs with all your suppliers. This is critical for compliance.
Think very carefully about your privacy policies and your legal basis for processing data.
You must be able to demonstrate that you’re taking GDPR seriously and are proactively working to comply with all the data protection guidelines. Ultimately, it’s important to remember that GDPR is the impetus to do the right thing and your consumers really value it.
If you would like to receive a DPA from Adyen, please fill outthis formand we'll send it out to you. For any other questions about GDPR, please contact your Account Manager orsales support.