If you saw our recent trade show recap, or attended the shows yourself, you know that the EU General Data Protection Regulation (GDPR) was a hot topic. As well it should be – the GDPR goes into effect May 25th of this year and will impact the way EU merchants, and all businesses that process EU customer data, do business going forward.
Segpay has been reviewing all of the GDPR’s requirements so that we are in compliance by May, and wanted to post this reminder, along with a brief overview of the new regulation, as the deadline approaches.
The GDPR enhances data and privacy protection for individuals in the EU who share their data when transacting business online. It allows individuals to know which data about them is being collected, and what the companies storing their data are doing to protect it.
The new regulation replaces the Data Protection Directive (DPD), in place since the 1990s, to provide one over-arching set of rules governing anyone selling to customers in the EU – not just businesses physically located there.
Here are a few highlights of the GDPR:
Opt-ins for marketing or sales-targeting. If you target ads or marketing material to individuals in the EU, you must obtain consent from the individual being targeted. Your text asking for consent should be unambiguous and understandable, and individuals must explicitly opt-in to be targeted (opt-out should be the default setting). To target children under 16, consent must be obtained from parents.
The right to be forgotten is another key feature of the GDPR. It means you must have mechanisms in place to erase an individual’s data when he or she asks for it to be erased. You must also be capable of providing individuals with access to their data if they request it, along with the ability for them to transfer their data to another provider if they wish.
Notifications in the event of a data breach will be required, under most circumstances.
The GDPR also requires companies to update their documentation for privacy and other policies governing how they collect, store and protect their customer data. Penalties for non-compliance with the GDPR can be pretty steep. Here is an overview of the fines for specific violations.
This was meant to be a very brief overview of the GDPR, intended to remind you about the deadline and re-acquaint you with some of the key parts of the law. Work with your legal counsel to finalize your compliance plan.
If you have questions about payment-related data that we can help with, we’re happy to talk with you. In the meantime, we’ve added a couple of links below to more comprehensive articles covering the GDPR.