A guide to understanding GDPR implications
Millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.
Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR),a new regulation which aims to give consumers greater rights and security over how their data is used.
GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU,but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance.
Merchants, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.
What is GDPR?
GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 1995,while eCommerce sales are over €500billion a year in Europe alone.3
The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.
For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.
GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business processing the data of EU citizens, even if not based in the EU.
GDPR at a glance
- GDPR was adopted in 2016 and will become effective on May 25, 2018
- Applies to businesses in the EU and any company worldwide that holds data on EU citizens
- Applies to data controllers and data processors
- Fines can be up to 4 percent of annual worldwide turnover or €20million, whichever is greater
- Claims can be made by individuals and organisations
Data management, portability and customer rights
At the heart of GDPR are a number of changes to the way that customer data is handled.Under the legislation, customers will have to give explicit permission for companies to hold data about them. But that’s not all, companies must also provide evidence that this consent has been given. One potential implication is that merchants may have to alter their auto-renewal and subscription payment processes.
Companies can no longer store a customer’s personal data simply because it may prove useful in the future, or so they can pass it on to another provider. From now on, the responsibility will be on businesses to justify why they’re retaining customer information, otherwise it may have to beerased.
There’s another important element too, one that has a historical precedent. In 2014, a Spanish property owner who’d had his house repossessed wanted this fact removed from Google searches. He took the case to the European Court of Justice (ECJ) which ruled that Google had to delete those references to him.
GDPR: Key implications for merchants
|Consent||Companies will have to actively get consent to store a customer’s personal data|
|Customer profiling||New restrictions on using data for customer profiling|
|Security and data breaches||Data breaches have to be reported within 72 hours of discovery|
|Data portability||Consumer has right to request transfer of personal data in certain circumstances|
|Data transfer||Prohibitions on transferring data to non-EEA* countries without adequate safeguards
*The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.
|Right to be forgotten||A business must erase an individual’s personal data in certain circumstances|
|Security||Businesses must have security systems that are appropriate to the level of risk|
This quickly became known as the ‘right to be forgotten’ and, following the ECJ case, it has been included in GDPR.
As such, businesses will need to implement new policies on data retention and deletion. According to Catherine Moore, President of J.P. Morgan Merchant Services in Europe, this will mean a new mindset for some firms: “In certain industries, data might be retained forever because a regulator might ask for it. In others, the erasing of data has not been high on the priority list as there’s been no reason for doing it.”
The right to be forgotten is a particular challenge for organisations because of the rich web of information that’s held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone’s personal information from all of their payment transaction record histories; if they so request.
It’s also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request. Yet a recent survey in the UK by Compuware showed that 71 percent of retailers do not always know where their customer data is stored.
Given that GDPR becomes law in May 2018, merchants should already be looking at how GDPR will have an impact on their procedures. According to William Long, a Partner at law firm Sidley Austin: “If they haven’t started already then it is imperative they begin, due to the volumes of work involved and the potential ramifications for being in breach.”
Under the regulation, firms can face fines of €20million or 4 percent of global revenues, whichever is greater. And that’s just for ‘serious breaches’. Such things as failing to keep proper breach logs, or failing to report a breach within a set timescale, will carry fines of up to €10million or 2 percent of global revenue.
GDPR also allows individuals to make a claim for damages for non-financial loss.Merchants, and third party payment providers, who may unknowingly store credit card details, are frequent targets for attacks by cyber-criminals so they will have to ensure especially tight protocols in this regard. Payment providers may also start offering value-added data protection services as a means of reducing the investment required by merchants, and helping them win more business.
One area that will also be changing is the credit card authentication standard PCI DSS. Although this is unconnected to GDPR, a new standard, PCI DSS 3.2 is set to become operational in February 2018. Companies who implement this standard will be some way to becoming GDPR compliant, at least as far as payments are concerned. For example, multi-factor authentication (MFA) becomes mandatory in PCI DSS 3.2, offering retailers a way of protecting customer personal details.
The emergence of the DPO
One of the ways in which businesses can manage the new regulatory landscape is by appointing a data protection officer (DPO)with company-wide responsibility for ensuring that protection guidelines are followed. Employing a DPO will be mandatory for publicly-owned bodies, companies that regularly and systematically monitor data subjects on a large scale (such as banks or web analytics companies), or firms that handle data of a highly sensitive nature. However, it is a best-practice approach that is relevant for all companies.
Choosing such a person is a crucial part of the process. As Joel Cullin, Head of Legal for J.P. Morgan Merchant Services in Europe says:“The DPO should be an individual who has a significant amount of autonomy within the organisation and is the data protection champion.” This is because compliance with GDPR will depend on many different skills — legal, technical and financial.Appointing an effective DPO will be one way of helping an organisation keep the right side of its duties under GDPR.
A key aspect of preparing for GDPR is understanding that it’s an issue for everyone within the company. Devising a response will require a coordinated approach across the organisation, because one change can have an effect on another department. For example, making changes to consent may entail customers filling in lengthy forms, which may have an effect on online purchases, leading to an increased amount of shopping cart abandonment. So, making changes is not just the responsibility of one department — there’s a need for firms to take a wider view. GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.
Merchants are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.
GDPR shouldn’t just be thought of as a burden: the organisational changes will mean greater transparency and will also offer more security for customers. Restricting the effectiveness of cyber criminals, and reducing the threat of breach, will be especially advantageous for merchants, which are frequent targets for these attacks. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers. By prioritising data security, they are demonstrating a willingness to put customer concerns first, which could result in reputational benefits, especially if the provisions they implement are in advance of what is required by the letter of the law.
In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don’t delay, however, the time for action is now: companies who haven’t started thinking about it, may find it’s already too late.
GDPR: Opportunities for merchants
- Increased trust between companies and their customers
- Protection of enterprise reputation
- Standardisation of processes across the EU
- Better data security and reduced threat of breach
International Data Corporation (IDC), ‘The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East.’ Available at: https://www.emc.com/leadership/digital-universe/2012iview/executive-summary-a-universe-of.htm. Accessed March 2017.
Tech Advisor: “How technology has changed the world in 20 years.” Available at: http://www.techadvisor.co.uk/opinion/windows/how-technology-has-changed-world-in-20-years/. Accessed June 2017.
3eCommerce Europe: “European B2C e-commerce turnover forecast to reach the €500 billion mark this year.”Available at https://www.ecommerce-europe.eu/press-item/european-b2c-e-commerce-turnover-forecast-to-reach-the-e500-billion-mark-this-year/.Accessed June 2017.
Running boom to help Puma recover after slow start
By Emma Thomasson
BERLIN (Reuters) – German sportswear company Puma expects the financial impact from coronavirus lockdowns to last well into the second quarter, but believes global growth in running should help to support a strong improvement after that.
“We clearly see a running boom in the whole world,” Chief Executive Bjorn Gulden told journalists, noting that yoga and other outdoor activities are also doing well. He expects the healthy living trend to continue even after the pandemic.
Gulden said his optimism is underlined by the fact that orders for 2021 are up almost 30% compared to a year ago, with bookings for running products particularly high.
However, there is still uncertainty about when lockdowns in Europe will end, with about half of the stores selling its products currently closed in its home region.
For the full year, Puma expects at least a moderate increase in sales in constant currency, with an upside potential, and a significant improvement for both its operating and net profit compared with 2020.
Shares in Puma were down 2.9% at 1100 GMT.
“The wording on outlook looks softer than we had anticipated, even by Puma’s cautious standards,” said Jefferies analyst James Grzinic.
Gulden noted that a shortage of shipping containers bringing products made in Asia would impact margins, with freight rates likely to double in the next 12 months.
Puma will put a stronger focus on the women’s market in future, Gulden said, creating shoes better modelled to female feet for running and soccer and capitalising on partnerships with celebrities like singer Dua Lipa and model Cara Delevingne.
Gulden admitted Puma had been slow in creating its own app, but it plans to launch one towards the end of the year, further supporting online sales, which grew by 63% in 2020.
Rival Nike in December raised its full-year sales forecast after demand for outdoor sportswear drove an 84% surge in online sales.
Gulden said he is hopeful that the Olympics will go ahead in Japan and the European soccer championship will also take place after both were postponed from 2020.
($1 = 0.8226 euros)
(Reporting by Emma Thomasson; Editing by Mark Potter and Keith Weir)
ExxonMobil to sell some UK, North Sea assets to HitecVision for over $1 billion
(Reuters) – Exxon Mobil Corp said on Wednesday it would sell its non-operating interest in its UK and North Sea exploration and production assets to private-equity fund HitecVision for more than $1 billion.
Exxon has been looking to sell its oil and gas assets since late 2019, seeking to free up cash to focus on a handful of mega-projects.
The deal includes ownership interests in 14 producing fields operated primarily by Shell as well as interests in the associated infrastructure. Exxon could also receive about $300 million in contingent payments based on a potential for increase in commodity prices.
Exxon’s share of production from these fields was about 38,000 barrels of oil equivalent per day in 2019, the company said.
Exxon said it would retain its non-operated share in upstream assets in the southern part of the North Sea as well as its interest in the Shell Esso gas and liquids (SEGAL) infrastructure, which supplies ethane to the company’s Fife ethylene plant.
HitecVision, in partnership with Eni, had bought Exxon’s Norwegian North Sea assets for $4.5 billion in 2019.
Initially, Exxon hoped to raise more than $2 billion from the sale, which was planned for late 2019. In June 2020 sources told Reuters that the portfolio was more likely to fetch $1 to $1.5 billion given the oil price weakness last year.
(Reporting by Arathy S Nair in Bengaluru; Editing by Anil D’Silva)
JPMorgan’s blockchain payments test is literally out of this world
By Anna Irrera
LONDON (Reuters) – Stuck in space with bills to pay? Don’t worry, the satellites could take care of it.
JPMorgan Chase & Co has recently tested blockchain payments between satellites orbiting the earth, executives at the bank told Reuters, showing that digital devices could use the technology behind virtual currencies for transactions.
The so-called Internet of Things (IoT), where devices connect to one another, is most associated with consumer electronics, including smart speakers like Amazon Echo and Google Home, and banks want to be ready to process payments when these smart devices start doing transactions autonomously.Umar Farooq, the CEO of JPMorgan’s blockchain business Onyx, thought space was a cool place to try it out.
“The idea was to explore IoT payments in a fully decentralised way,” Farooq said. “Nowhere is more decentralised and detached from earth than space.”
“Secondly we are nerdy and it was a much more fun way to test IoT,” he said.
To run the space experiment, the bank’s blockchain team did not send its own satellites into space, but worked with Danish company GOMspace, which allows third parties to run software on its satellites.
Farooq said the satellite test showed blockchain networks could power transactions between every day objects.
The test also showed it could be possible to create a marketplace where satellites send each other data in exchange for payments, as more private companies launch their own devices into space, Tyrone Lobban, head of blockchain launch, at Onyx said.
Back on earth, examples of IoT payments that could become a reality sooner include a smart fridge ordering and paying for milk on an ecommerce site, or a self-driving car paying for gas Farooq said.
Blockchain, which first emerged as the software underpinning cryptocurrencies, is a shared digital ledger of transactions. Financial companies have invested millions of dollars to find uses for the technology hoping it can reduce costs and simplify more complex IT processes, such as securities settlement or international payments.
But so far, blockchain has yet to have widespread impact in financial services.
JPMorgan has been one of the most active banks in blockchain, announcing it had created its own distributed ledger called Quorum in 2016, which was sold to blockchain company Consensys last year. The bank also developed a digital coin called JPM Coin and in 2020 created Onyx.
Onyx has more than 100 employees and its blockchain applications are close to generating revenues for the bank, it said.
Among the division’s applications is Liink, a payments information network involving more than 400 banks, a project to replace paper checks and IoT experiments, Farooq said.
(Reporting by Anna Irrera. Editing by Jane Merriman)
Analysis: Central banks say no tapering. Markets aren’t buying it
By Sujata Rao and Dhara Ranasinghe LONDON (Reuters) – Central bankers worldwide have been unequivocal: There are no plans to...
OPEC+ to weigh modest oil output boost at meeting – sources
By Ahmad Ghaddar, Alex Lawler and Olesya Astakhova LONDON/MOSCOW (Reuters) – OPEC+ oil producers will discuss a modest easing of...
Energy, bank stocks drive FTSE 100 higher
By Shivani Kumaresan and Amal S (Reuters) – Britain’s main stock index recouped early losses to end Wednesday higher, as...
European shares end higher on upbeat German data
By Shashank Nayar and Ambar Warrick (Reuters) – European shares rose on Wednesday as sectors primed to benefit from economic...
Dollar struggles as Powell stays dovish course; pound, loonie soar
By Kate Duguid NEW YORK (Reuters) – The dollar struggled on Wednesday morning as dovish testimony from Fed Chair Jerome...
Running boom to help Puma recover after slow start
By Emma Thomasson BERLIN (Reuters) – German sportswear company Puma expects the financial impact from coronavirus lockdowns to last well...
Reasons Why You Should Be Opening an Offshore Savings Account Today
No one has to convince you that savings accounts are a bad idea. As a safe investment, this approach is...
Vodafone’s towers arm plans biggest European IPO of 2021 so far
By Paul Sandle and Arno Schuetze LONDON/FRANKFURT (Reuters) – Vantage Towers, the mobile masts company spun out of Vodafone Group,...
UK’s Sunak to build bridge to recovery with more spending
By William Schomberg LONDON (Reuters) – British finance minister Rishi Sunak will next week promise yet more spending to prop...
Oil rises despite surprise U.S. stock build weighs
By Ahmad Ghaddar LONDON (Reuters) – Oil prices firmed on Wednesday amid continued outages in the United States and a...