Procrastination is no longer an option. Time to comply with the massive General Data Protection Regulation for businesses that collect data about European Union consumers has run out. And with the regulation going into effect Friday, many U.S. payments companies have found they, too, have had to change their data-collection and notification protocols.
What is GDPR? It’s a new law that affects companies conducting business in 28 nations that make up the EU. Any business, regardless of size, that collects personal data relating to EU individuals must comply or face penalties of as much as 4% of a company’s worldwide annual revenue or 20 million euros (currently $23.4 million), whichever is higher.
Among the regulation’s provisions are mandatory breach notification, a right to access personal data held by companies, a right of individuals to have their personal data removed at their requests, and the right to move their personal data from one entity to another. GDPR also may require some companies to appoint a data protection officer.
“The GDPR applies to any global company that processes data of EU citizens. This means that U.S. payments companies that process personal data of EU citizens have to fully comply with the GDPR,” Ron Van Wezel, senior analyst at Aite Group LLC, tells Digital Transactions Newsvia email.
For example, processor Elavon Inc., a unit of U.S. Bancorp, appointed a data protection officer based in Ireland for its operations there. In its email messages, Elavon added a function that, when the unsubscribe button is clicked, triggers a “Do Not Promote” flag on its system.
Indeed, some 92% of companies surveyed in a GDPR research report from McDermott Will & Emery LLP and the Ponemon Institute LLP said they have appointed a data protection officer. The same report, released in April, said the average annual budget per company for GDPR compliance is $13 million. Financial-services companies, at 63.2%, reported the highest expected compliance rate.
Clearly, payments companies with European operations have no choice but to comply. What about companies without consumers as customers, just business clients?
“This is a tricky issue,” Van Wezel says. “The GDPR applies to the processing of personal data only, not corporate data, but that doesn’t mean that B2B business is completely exempt from the GDPR. For instance, B2B marketing may use a business address that identifies a natural person.”
Some guidance from the United Kingdom’s Information Commissioner’s Office may help, he suggests. That organization says the GPDR regulation does apply to business-to-business marketing.
What about U.S. payments companies that receive incidental inquiries from EU individuals whom they do not actively solicit? Van Wezel says if the individuals are targeted when a company sells goods or service to EU citizens, or they are profiled when profiles are created using an individual’s Internet behavior and used for decision-making or predictive analytics, then the U.S. company would be subject to the GDPR. In other cases, where, for example, a customer uses a credit card on a U.S. Web site and is not solicited to do so, the GDPR would not apply, he says.
“The principles of the GDPR constitute good business practice, and EU companies that work globally should consider ‘following the GDPR’ also outside of their EU operations,” Van Wezel says. “The added benefit is that they are then also better prepared for future changes in regulation in other jurisdictions, which are expected to follow the GDPR’s guidance.”
GDPR compliance may help companies hedge against future changes, he says. “Global companies are already hedging themselves by self-regulation, implementing data privacy and open-banking policies even for regions that have less strict legislation. Data broker Acxiom, for instance, provides U.S. consumers with full transparency of the data that the company has on them and lets them make changes or opt out.”