GDPR rules will affect U.S. merchants, experts say

On May 25, 2018, the European Union will instate the General Data Protection Regulation (GDPR) protections designed to help European citizens manage their digital destinies. The laws enable consumers to control how companies use, market and store their personal data. European consumers can exercise their “right to be forgotten” by asking companies to delete their personal information. Analysts expect the guidelines to impact any business that transacts with European citizens online, in their countries of origin and in their travels around the world.

Gary Glover, vice president of assessments at SecurityMetrics, said supervisory authorities (SAs) will enforce the GDPR and issue non-compliance fines. SA oversight will extend to companies that process European citizens’ personal data, including cloud-storage services, universities, hospitals and merchants outside the EU’s footprint. “Companies need to ask, ‘Do I have any data from any subject in the EU anywhere in my system?’” Glover stated.

Glover advised against thinking of GDPR as a set of requirements for an audit. “This process is inherently different from Payment Card Industry Data Security Standard (PCI DSS) compliance, which is prescriptive and security-centric,” he said. “GDPR requires companies to have more control around the management of personal information, with procedures in place to automatically or manually remove it when necessary.”

Work in progress

The EU took four years to develop the GDPR before it was approved by the EU parliament on April 14, 2016, Glover noted. The GDPR will apply to all EU member states on May 25, 2018. While it is unclear which types of companies will be targeted by SAs, Glover encouraged merchants and service providers to be aware of the GDP’s key requirements, which include the following:

• Breach notification: Data controllers must report personal data breaches within 72 hours.

• Consent: Organizations must obtain consent from individuals for processing personal data.

• Data Protection Officers (DPOs): Enterprise organizations must appoint DPOs to process high volumes of personal data and special categories of personal data.

• Data subject access requests (DSAR): Organizations must comply with DSAR within one month.

• Privacy by design: Privacy-by-design concepts apply when developing products, systems and processes.

• Privacy Impact Assessments (PIAs): PIAs must be carried out in certain situations.

• Privacy notices: Privacy notices must be transparent and accessible and use clear and plain language.

• Profiling:An individual has the right to not be subjected to profiling and must consent to profiling used for marketing purposes.

• Record keeping: Each data controller must keep a record of processing activities.

• Right to portability: Users may request a copy of personal data in a portable format.

• Right to erasure: Data subjects have the right to request for their data to be deleted.

• Right to object: Individuals have the right to opt out of direct marketing.

Knowing their organization type and responsibilities will also help companies achieve compliance, Glover said. “Different rules apply to different business types,” he added. “Entities that process personal data as part of doing business are considered data controllers; companies that process the data on behalf of controllers are considered data processors.”

Glover expects the GDPR to remain a work in progress for the foreseeable future but encouraged companies to get started on the path toward compliance. “Begin by using advanced data mapping and filtering to find the data,” he said. “Then ask, ‘What is my reason for keeping and using this data?’ We’ll need a generation of lawyers to help us implement these guidelines.”

Big data, big penalties

The GDPR replaces the Data Protection Directive (95/46/EC) of 1995, established before widescale data mining transformed the global marketplace. Legal analysts expect the new measures to target companies like Amazon Inc., Apple Inc., Google and Facebook – companies the EU has criticized for violating antitrust laws and failing to protect consumer privacy.

In June 2017, the EU fined Google 2.4 billion euros for dominating online search, claiming it deprived other companies from achieving market share. Analysts have said the case reflects inherent differences between American capitalism and European hegemony. In 2016, EU antitrust chief Margrethe Vestager demanded Apple repay $14.5 billion in back taxes to Ireland; Apple and Ireland intend to appeal the ruling. She has also questioned Facebook’s terms of service and Amazon’s tax records in Europe, experts noted.

Shelly Palmer, CEO of The Palmer Group, a strategic business and technology advisory firm, said companies deemed non-compliant with the GDPR can face fines of up to 4 percent of their annual worldwide revenues. “This is a staggeringly large penalty,” he stated. “A violation could cost Facebook, for instance, up to $1.6 billion. The number would be much greater for companies such as Google and Amazon.”

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.