What Merchants Need to Know about Protecting Customers and New Regulations

News

11 December 2017

A Guide to Understanding GDPR Implications

Catherine Moore, European President of J.P. Morgan Merchant Services
William Long, Partner of Sidley Austin

Millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.1

Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR), a new regulation which aims to give consumers greater rights and security over how their data is used.

GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU, but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance. Merchants, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.


What is GDPR?
GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 19952, while eCommerce sales are over €500 billion a year in Europe alone.3

The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.

For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.

GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business processing the data of EU citizens, even if not based in the EU.


GDPR at a glance

  • GDPR was adopted in 2016 and will become effective on May 25, 2018
  • Applies to businesses in the EU and any company worldwide that holds data on EU citizens
  • Applies to data controllers and data processors
  • Fines can be up to 4 percent of annual worldwide turnover or €20 million, whichever is greater
  • Claims can be made by individuals and organisations

Data management, portability and customer rights
At the heart of GDPR are a number of changes to the way that customer data is handled. Under the legislation, customers will have to give explicit permission for companies to hold data about them. But that's not all, companies must also provide evidence that this consent has been given. One potential implication is that merchants may have to alter their auto-renewal and subscription payment processes.

Companies can no longer store a customer's personal data simply because it may prove useful in the future, or so they can pass it on to another provider. From now on, the responsibility will be on businesses to justify why they are retaining customer information, otherwise it may have to be erased.

There is another important element too, one that has a historical precedent. In 2014, a Spanish property owner whose house was repossessed wanted this fact removed from Google searches. He took the case to the European Court of Justice (ECJ) which ruled that Google had to delete those references to him. This quickly became known as the "right to be forgotten" and, following the ECJ case, it has been included in GDPR.

As such, businesses will need to implement new policies on data retention and deletion. According to Catherine Moore, President of J.P. Morgan Merchant Services in Europe, this will mean a new mindset for some firms: "In certain industries, data might be retained forever because a regulator might ask for it. In others, the erasing of data has not been high on the priority list as there has been no reason for doing it."

The right to be forgotten is a particular challenge for organisations because of the rich web of information that is held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone's personal information from all of their payment transaction record histories, if they so request.

It is also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request. Yet a recent survey in the UK by Compuware showed that 71 percent of retailers do not always know where their customer data is stored.4


GDPR: Key implications for merchants

Consent Companies will have to actively get consent to store a customer's personal data
Customer profiling New restrictions on using data for customer profiling
Security and data breaches Data breaches have to be reported within 72 hours of discovery
Data portability Consumer has right to request transfer of personal data in certain circumstances
Data transfer Prohibitions on transferring data to non-EEA* countries without adequate safeguards
* The European Economic Area (EEA) includes the 28 European Union (EU) countries as well as Iceland, Liechtenstein and Norway -- it allows them to be part of the EU's single market
Right to be forgotten A business must erase an individual's personal data in certain circumstances
Security Businesses must have security systems that are appropriate to the level of risk


Timescale
Given that GDPR becomes law in May 2018, merchants should already be looking at how GDPR will have an impact on their procedures. According to William Long, a Partner at law firm Sidley Austin: "If they have not started already then it is imperative they begin, due to the volumes of work involved and the potential ramifications for being in breach."

Under the regulation, firms can face fines of €20 million or 4 percent of global revenues, whichever is greater. And that is just for "serious breaches." Such things as failing to keep proper breach logs, or failing to report a breach within a set timescale, will carry fines of up to €10 million or 2 percent of global revenue.

GDPR also allows individuals to make a claim for damages for non-financial loss. Merchants, and third-party payment providers, who may unknowingly store credit card details, are frequent targets for attacks by cyber-criminals so they will have to ensure especially tight protocols in this regard. Payment providers may also start offering value-added data protection services as a means of reducing the investment required by merchants, and helping them win more business.

One area that will also be changing is the credit card authentication standard PCI DSS. Although this is unconnected to GDPR, a new standard, PCI DSS 3.2 is set to become operational in February 2018. Companies who implement this standard will be some way to becoming GDPR compliant, at least as far as payments are concerned. For example, multi-factor authentication (MFA) becomes mandatory in PCI DSS 3.2, offering retailers a way of protecting customer personal details.


The emergence of the DPO
One of the ways in which businesses can manage the new regulatory landscape is by appointing a data protection officer (DPO) with company-wide responsibility for ensuring that protection guidelines are followed. Employing a DPO will be mandatory for publicly-owned bodies, companies that regularly and systematically monitor data subjects on a large scale (such as banks or web analytics companies), or firms that handle data of a highly sensitive nature. However, it is a best-practice approach that is relevant for all companies.

Choosing such a person is a crucial part of the process. As Joel Cullin, Head of Legal for J.P. Morgan Merchant Services in Europe says: "The DPO should be an individual who has a significant amount of autonomy within the organisation and is the data protection champion." This is because compliance with GDPR will depend on many different skills -- legal, technical and financial. Appointing an effective DPO will be one way of helping an organisation keep the right side of its duties under GDPR.


Company-wide involvement
A key aspect of preparing for GDPR is understanding that it is an issue for everyone within the company. Devising a response will require a coordinated approach across the organisation, because one change can have an effect on another department. For example, making changes to consent may entail customers filling in lengthy forms, which may have an effect on online purchases, leading to an increased amount of shopping cart abandonment. So, making changes is not just the responsibility of one department -- there is a need for firms to take a wider view. GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.


Conclusion
Merchants are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.

GDPR should not just be thought of as a burden: the organisational changes will mean greater transparency and will also offer more security for customers. Restricting the effectiveness of cyber criminals, and reducing the threat of breach, will be especially advantageous for merchants, which are frequent targets for these attacks. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers. By prioritising data security, they are demonstrating a willingness to put customer concerns first, which could result in reputational benefits, especially if the provisions they implement are in advance of what is required by the letter of the law.

In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don't delay, however, as the time for action is now: companies who have not started thinking about it, may find it is already too late.


GDPR: Opportunities for merchants

  • Increased trust between companies and their customers
  • Protection of enterprise reputation
  • Standardisation of processes across the EU
  • Better data security and reduced threat of breach

This article was originally published by International Banker. It is also available on the JPMorgan Chase & Co. website: https://www.jpmorgan.com/europe/merchant-services/merchants-protecting-customers


Sources

  1. International Data Corporation (IDC), "The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East." Available at: https://www.emc.com/leadership/digital-universe/2012iview/executive-summary-a-universe-of.htm. Accessed March 2017.
  2. Tech Advisor: "How technology has changed the world in 20 years." Available at: http://www.techadvisor.co.uk/opinion/windows/how-technology-has-changed-world-in-20-years/. Accessed June 2017.
  3. eCommerce Europe: "European B2C e-commerce turnover forecast to reach the €500 billion mark this year." Available at: https://www.ecommerce-europe.eu/press-item/european-b2c-e-commerce-turnover-forecast-to-reach-the-e500-billion-mark-this-year/. Accessed June 2017.
  4. Compuware: "Unprepared for GDPR." Available at: http://resources.compuware.com/hubfs/Collateral/White_Papers/31465_Test_Data_Privacy_wp_6_002.pdf. Accessed June 2017.