Written by: Peter Cooper, Information Security Specialist, Adyen
With over 20 years working in infrastructure, security, IT systems, and processes, Peter has a broad experience of information security. No day is typical. It may involve security engineering and analysis work, strategic planning sessions with board members, or leading compliance task-force projects and presenting to regulators.
There’s a lot of buzz around the new General Data Protection Regulation (GDPR) at the moment. I’ve received many queries from businesses who are worried about the impending deadline and are unsure of the steps they should be taking in relation to their payment data.
This article will clarify the situation and help you understand:
What GDPR is and why it’s good news for businesses
What GDPR means for payments data (and how this differs from marketing data)
Consumer rights, and how to comply
The steps to take leading up to (and beyond) May 25
Privacy by design and privacy by default
The European Commission summarizes GDPR as: Privacy by design and privacy by default. This means that any action that involves processing personal data must be done with data protection and privacy built into every step. Once a product or service has been released, the strictest privacy settings must apply by default.
It's simply an evolution of regulations already in place.
It’s about respect for people. This is nothing new; it’s simply an evolution of regulations already in place to protect consumer privacy.
At Adyen, it’s an issue we’ve been talking about since my first day; it’s in our DNA and these new regulations will have little impact in how we operate internally. That should be a relief for our customers who care about their own customers' privacy.
Simplifying cross-border business
The EU has historically had this ideal around protecting people’s personal data. GDPR is simply standardizing existing best practices across multiple countries. This will make sure that the data protection is the same across all markets in the EU and that consumer data rights are consistently enforceable by law.
From a business perspective, it will make things more consistent, with clearer guidance and less cross-border confusion. You won’t have to worry how different France is from Germany or that rights in Spain are different from rights in the Netherlands.
It’s also great for non-EU businesses selling to European consumers. You’ll be able to identify how EU law matches with your own laws, making it possible to identify equivalent laws, which simplifies things still further.
What GDPR means for payments data
The legal basis for processing payment data can be different from processing marketing data. When you market to people, you need to get their consent. That’s pretty straightforward. But for payments, is it consent? Or is it something else?
Performance of a contract
There’s a bunch of other reasons you can legally process data under GDPR. When it comes to payment data the obvious reason is the performance of a contract, i.e.: I need this information so I can provide you with the good/service you’ve requested.
'Performance of a contract' is not dependent on continued consent.
The interesting thing about performance of a contract as a basis for processing data, is that it’s not dependent on continued consent if the use of the data is required for the product or service’s lifecycle (such as subscriptions, warranties or credit card chargebacks). You still can’t use this data for any other purpose. But it’s much easier to prove you’re providing a good or service than proving that you have consent or dealing with consent withdrawals.
Dealing with consumer rights
GDPR categorizes the data roles as follows:
The data subject: The consumer
The data controller: The business (that’s you)
The data processer: A third party processor instructed by the data controller (i.e. Adyen)
As data controller, you’re responsible for the relationship with the data subject. You may instruct a third party (like Adyen) to process the data but it’s your job to set the purpose (or objectives) and legal basis for the processing.
All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one. Our DPA has been designed to protect you; it’s strongly aligned with payment transactions, so it proves you’re compliant with GDPR (at least from a payments perspective).
Data Subject Rights
There are some interesting details around Data Subject Rights which have been established under law, especially when it comes to payment data.
The Right of Access
Data subjects have the right to access all data a business holds about them at any time. This includes payment data, and a question I get a lot is:
What do I do if a customer demands to see their data?
As a data processer, we’re under a legal obligation to assist the data controller to provide this information. We’ve made the procedure as simple as possible; just contact our support team and provide a ‘PSP reference’.
One thing to bear in mind is that there’s a big risk around Data Subject Right Requests: They can be used for fraud. You have to be careful to authenticate the customer before providing the information. You don’t want an identity thief to exploit your system in order to steal consumer information.
The Right to be Forgotten – what data you can (and can’t) delete
Another important Data Subject Right is the Right to be Forgotten. In a marketing context, this means deleting every record of the consumer and never contacting them again. This is straightforward. But it’s not so clear-cut when it comes to payment data, and there are situations when certain data can’t be revoked.
There are situations when certain data can’t be revoked.
For example, in a product sales scenario, where there are statutory warranties in place, there’s a chargeback period of up to 3.5 years for some card brands. Or, if your customer has an annual subscription, which hasn’t been cancelled, you need to keep the data in order to continue billing.
It could be that your customer asks to be forgotten because they’re sick of marketing emails. Good customer service means listening to your customer, asking questions, and resolving the issue. This might just be to take them off your marketing mailing list.
It’s up to you to explain what information can be deleted, and which must be held for a certain period of time for compliance reasons. But we’re here to help. We’ll assess the request against the performance of a contract requirements (and other obligations we have as a financial institution). And we’ll make sure this is provided within the timeframes dictated by GDPR.
Preparing for 25th May – and beyond
GDPR is not a sprint, it’s a marathon. And it’s not over on 25th May.
Regulators will be looking at companies over time, so you need to start preparing now if you haven’t already. The first steps I’d suggest are:
Make sure you have DPAs with all your suppliers. This is critical for compliance.
GDPR is not a sprint, it’s a marathon.
Think very carefully about your privacy policies and your legal basis for processing data.
Start with these small steps and fill in the gaps from there. You must be able to demonstrate that you’re taking GDPR seriously and are proactively working to comply with the new guidelines.
Of course, it’s early days, and the regulations will become more clearly defined as GDPR is put into practice. 25th May will be just the beginning. But ultimately, I think it’s important to remember that GDPR is the impetus to do the right thing. As a consumer myself, I really value it - and your customers will too.