In an age when digital security breaches seem to be the order of the day, affected entities are taking strong action to prevent them and to minimize their consequences. To that end, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (GDPR, a set of requirements replacing the EU Data Protection Directive of 1995). The new law went into effect on May 25, 2018, and focuses on enhanced business transparency and bolstered consumer privacy rights. If you accept international payments now or are considering expanding internationally, you need to learn about the GDPR and how it affects your company.

GDPR’s purpose.

These requirements were set forth to safeguard consumers and the data that refers to them while ensuring that companies and other organizations that collect this information do so in a responsible way. The GDPR also covers the storage of this information, mandating that these consumer details be protected against “unauthorized or unlawful processing, and against accidental loss, destruction or damage." Finally, the regulation stipulates that the data that is collected only be gathered for a specific, legitimate purpose and should not be employed in any other manner.

Specifically, the GDPR states that a company cannot process someone’s information unless it meets one of the following six conditions.

• The company has the subject’s express consent.
• Processing the information is essential in order to be in accordance with a contract with the subject or in order to enter into a contract.
• Processing is necessary to come into compliance with a legal obligation.
• Processing must be done in order to protect the subject’s vital interests or those of another person.
• Processing is necessary in order to carry out a task that is in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary to fulfill the interests of the controller or a third party except where these interests are superseded by those of the data subject.

Any companies that process data or monitor subjects on a large scale are required to appoint a Data Protection Officer (DPO) who is responsible for data governance and for ensuring that the entity is in compliance with the GDPR. Failure to comply could result in legal action or a fine of up to 20 million euros ($24.26 million) or 4% of annual global turnover.

Data covered by GDPR.

Before any entity can use someone’s personal data, they must obtain the individual’s permission. Personal data for a particular subject includes the following details.

• Name.
• Identification number.
• Location data.
• Any information that is specific to "the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
• Data referring to someone’s health or healthcare.
• Racial or ethnic details.
• Union membership.
• Details about political affiliations or religious beliefs.

In real terms, personal information can even extend to photos, email addresses, social media posts, biometric data, IP addresses, or bank account numbers.

The underpinnings of the GDPR.

There are seven principles that serve as the foundation of the GDPR.

• Lawfulness, fairness, and transparency. The subject must always be informed as to how their data will be used.
• Purpose limitation. Information can only be gathered and stored for specific purposes.
• Data minimization. In order for this specific processing, only the necessary data should be collected and nothing more.
• Accuracy. Organizations must ensure that all of the information they collect and store is accurate and kept up-to-date. If the subject requests that their data be deleted or changed, the organization must comply.
• Storage limitation. The data will only be retained until it is no longer needed.
• Integrity and confidentiality. The company must keep all information secure and protected from compromise.
• Compliance assurance. Companies are responsible for remaining in compliance with GDPR stipulations.

These principles are designed to uphold the following rights that every subject has the following.

• The right to be forgotten if they no longer want the company to have their data. This is true unless the company has a legal basis to refuse the request.
• The right of access. The subject can review their stored information at any time.
• The right to object. The subject can refuse or withdraw permission for a company to use their data unless the company can show that processing is legally necessary. In that case, they must inform the subject as to why their data is still being used.
• The right to rectification. The company is responsible for correcting any information that is inaccurate.
• The right of portability. Subjects can access and transfer their information at any time.

Who does GDPR affect?

Any organization that collects data pertaining to citizens of an EU member state must comply with the GDPR. That includes companies headquartered outside the EU. The regulations apply regardless of how the data is collected.

Breach notifications.

Even when companies employ strict anti-fraud measures and strategies to ensure secure credit card processing, there are times when cyber crimes still occur. Within 72 hours of a security incident that affects the stored data of EU citizens, the company’s data controller must notify the supervisory authority that has been designated by the particular EU country to oversee GDPR compliance. If notification does not occur within that time frame, the controller must explain the reason. In addition, the following rules apply.

• Notifications must include details about the nature of the breach, the types of information that might be compromised, and the number of affected records.
• Any possible consequences the breach has caused should be described as well as what the company is doing to rectify them.
• Victims must be notified directly.
• The data controller must document the breach and the remedies that have been put in place, sending this information to the supervisory authority for verification.

GDPR compliance.

If you currently do business with customers in the EU or plan to do so in the future, the following best practices should be built into your infrastructure.

• Never collect a customer’s data without their permission.
• Don’t collect anything more than you need. Remember that you are responsible for all information you gather.
• Don’t share data unless the subject and supervisory authorities have agreed.
• Encrypt all personal data you collect, store, or transmit.
• Keep at least two up-to-date, secure copies of all data at two separate off-site locations.
• Possess tools that allow you to easily update or delete any data you store.

The GDPR was put in place to safeguard data and protect consumers. However, it also provides a strong set of rules that safeguard you as a merchant doing business in the EU. Complying with all of its instructions is both a necessity and a long-term benefit for you and your customers.