If your company operates in the European Union, you’re aware that General Data Protection Regulation (GDPR) is now in effect; May 25, 2018 was the deadline to have compliance procedures in place. But for companies doing business only with US merchants and consumers, GDPR does not apply. For now.
GDPR focuses on controllers of data (merchants) and processors of data (payment processing firms like FreedomPay). Among other things, GDPR insists that both groups provide greater transparency and give consumers greater control over their data. It’s an initiative driven by high-profile data breaches like Equifax, Target, and other retail and service providers. But GDPR isn’t as much about security as it is about privacy. At its core, GDPR enables EU consumers to contact a company they’ve interacted with, ask what data has been collected on them, and make requests on rectifying, updating or deleting that data.
Unlike PCI, a global initiative with strict and specific rules for payment data compliance, GDPR is a legislative regulation with broader directives around all Personally Identifiable Information (PII). Processors such as FreedomPay work on behalf of the controllers to process PII, and merchants should understand their responsibilities as Controllers to properly handle sensitive consumer data. While FreedomPay does not directly interact with the consumer, we are responsible for working with our clients to comply with consumer requests around data modification and deletion.
The whole issue of data collection, including who collects it, what they collect, how it is collected, how it is stored, and how it is used, is a major area of interest for merchants and consumers across the globe. But just as merchants crave more data, there’s a gap as to how it is handled. Organizing data so it’s relevant and useable is the end goal. Being able to efficiently retrieve requested data and delete it is the next logical step and will likely become a more common request from consumers.
The EU has drawn a line in the sand with GDPR. The United States has regulations on privacy as well. But in the United States, the laws are focused more on privacy and notification if a breach occurs. Further, the laws are not on the federal level; each state has its own regulations, and enforcement is generally lax. FreedomPay’s consolidated global platform allows for data protection and consumer privacy to be centrally managed, regardless of where a consumer resides. That, and providing the consumer with a seamless, secure transaction experience, will leave us and our merchants well-positioned should Congress choose to implement a sweeping law like GDPR.