Andy Mellor, Product Manager, The Logic Group
The new General Data Protection Regulation (GDPR) will be the most comprehensive shake up of data protection laws in 20 years. A touch dramatic, sure, but no less true for it.
It’s fair to assume that you would be aware of the GDPR but it bears repeating; GDPR aims to update the existing data protection framework across all EU markets to better reflect the modern digital landscape. It will streamline existing laws across the board so that compliance for businesses is simplified while ensuring a consistent level of privacy for all EU citizens. When GDPR becomes law in 2018, all data on individuals (with some limited exceptions) will fall within its scope. This includes everything from email addresses to transaction history. Any company processing personal data on EU subjects, whether it is in Europe or not, is liable. By attempting to safeguard the privacy of its citizens, Europe is entering a stricter, more complicated era where the risks of collecting personal data reflects the value of that data much more closely.
So to the punishments: non-compliance fines are up to 4% of a company’s global revenue, with non-financial obligations also in place that require reporting of any breaches ‘without undue delay’. Implementation of GDPR is just around the corner; those who react now will be able to reap the benefits of the data they collect. Those who don’t will pay a heavy price financially but also suffer potentially irreparable reputational damage.
The challenges for merchants
Data breaches have unfortunately become an everyday risk for business. With GDPR being accepted in spring 2016, merchants need to make sure they have the right solutions in place. These will allow them to store and analyse in real-time, large amounts of data, without compromising the security of customer data.
Retailers must now be meticulous when it comes to data management. When the regulation passes into law in 2018, organisations must implement strong data governance policies that impose limits on how long retailers are able to retain data. These must be subsequently reviewed or erased by the end of that period if there are no legitimate grounds for keeping it. The regulation has also given far more power to individuals, giving them more access to their data, as well as the right to know how their data is being processed.
GDPR also imposes stringent breach reporting obligations; Companies will have to notify the national supervisory authority in the event of a data breach, in order for themselves and users to take appropriate measures. These reporting obligations also mean that organisations must have effective monitoring frameworks for assessing and improving processes.
There is more at stake for merchants than ever before. They understand the value of the data which they are collecting and are busy trying to figure out what they can do to unlock that value. This alone is a tough enough job without the added pressures which GDPR is placing on them. The problem is that many don’t have the tools, skills or experience to process, manage and handle the increased volumes of data generated from payments. As such, they will need to move from legacy payment infrastructures to modern payments systems capable of handling the rigorous demands placed upon them by the new data laws and focus on making that data work for them.
Technology to protect your data
Merchants have to collect this data or risk being left behind as it offers is a rich information seam that can deliver critical insights into customer buying behaviour. So what can they do to mitigate this risk? Thankfully, a few things. There are technologies which allow merchants to collect actionable customer data, while keeping it secure as they work towards GDPR compliance.
One such technology is tokenisation. Tokenisation is a security technology that is already used in the payment industry to encrypt consumer data at the point of sale. It assigns an alphanumeric code, or ‘token’ to payment data when the transaction is being processed. This token has no extrinsic or exploitable meaning for a cyber-attacker, rendering the customer’s sensitive card details indecipherable. This helps retailers mitigate risk, as in the event of a breach, the sensitive data elements are replaced with a non-sensitive equivalent to help keep customer details safe; extending these technical controls to personal data will increase protection in the event of a breach. However, for the merchant, this unique token does still allow the behavioural analysis that is essential to optimising the business.
With GDPR going through adoption by the European parliament, the rapid countdown to enforcement in 2018 has begun, meaning the whole market needs to react to this regulation in the EU now. The consumer experience relies on data and consequently trust more now than ever before. Smart retailers are following the updates from ICO (The UK’s independent authority set up to uphold information rights in the public interest) and starting to educate themselves and review and plan for updated data-led solutions as a matter of urgency. Those who understand where the responsibility lies are likely to gain an advantage, and those who don’t risk serious fines and reputational damage.