With just over two months until the GDPR deadline, here is a brief understanding as to how we’ve been going about things. Look out for our ‘top 10 tips’ on GDPR available here next week and some considerations for what you might need to do.
The GDPR enters into law on 25th May, 2018 and Paysafe has a regulatory programme in place to manage compliance with this new law.
Initially, we carried out a risk analysis across relevant business areas, by way of gap analysis, assessing Paysafe’s GDPR readiness and designing an appropriate compliance programme to address any gaps. This programme has been independently assessed by a ‘big four’ consultancy, as part of our wider programme assurance. We have also developed a very strong internal governance framework, to ensure the necessary oversight and decision-making is in place up to and including board level. We feel this is crucial for success and in ensuring effective buy-in and oversight.
Paysafe has in place a separate team to deliver its GDPR Programme. Additional to our existing Group Privacy team, their sole focus is to help Paysafe implement the GDPR Programme, under an experienced Programme Leader, reporting to our Group Privacy Officer.
We’re reviewing all business relationships with suppliers, merchants, other partners or affiliates and customers, to ensure alignment to GDPR. It’s a big job! If any changes are necessary or appropriate to meet GDPR requirements then we are getting in touch with them.
Do you need to do anything?
Well, of course, you need to ensure that your own organisation is also working towards GDPR implementation, to the extent you fall within its scope; i.e. you are a Processor or Controller established in the EU and processing the personal data of EU citizens; or if based outside the EU, you are offering goods and services aimed at EU citizens and/or monitoring their behaviour within the EU (e.g. using cookies or similar technology to track / profile). So, GDPR is different to existing European laws, as it has extra-territorial effect.
We all know the fines are potentially huge under GDPR (the higher of up to 4% of annual global turnover or EU20mn), although a potentially greater risk is that of being prohibited from processing your database, or not being able to market to it, or prohibited from transferring data internationally.
Don’t overlook the risk of consumer litigation or claims. Non-profit organisations such as WHICH? can now promote and manage consumer claims. GDPR allows a type of ‘quasi class action’, where offending organisations could find themselves paying large sums to settle 1,000s of claims for, say, misuse of data.
If you’re not sure about your own GDPR compliance here is an excellent guide to GDPR provided by law firm, Baker McKenzie. It provides commentary and guidance across most areas of GDPR, as well as providing a good initial overview.
We also released a whitepaper which explores the trifecta of legislation that will fundamentally change the face of digital commerce and payments in 2018. Download it here.
The UK’s national Data Protection Authority is the Information Commissioner’s Office and they provide a GDPR Checklist for both Processors and Controllers, which you might wish to cross-check against. Click here to access their GDPR Guide.