What you need to know about Europe’s new data protection laws

On 25 May 2018, a major new data protection law will come into force: the General Data Protection Regulation (GDPR). It will affect any business that targets customers in the EU (including the UK). Regulators will have the power to fine companies up to 4% of global annual turnover or 20 million euros for non-compliance; whichever is higher. Although these sums are unlikely to be levied for SMEs, Worldpay is committed to helping our customers comply with the new European regulation.

However, government research indicates only 38% of British businesses have even heard of the new law. That’s why Worldpay has put together a brief guide to the main aspects of the new regulation, and what you need to do next.

Why is it happening?

The GDPR is a once-in-a-generation attempt to update Europe’s data protection laws for the digital age. This means introducing strengthened rights for EU consumers, and new obligations for businesses that store, manage and process their data. Personal data is defined as any information which identifies an individual, which could be anything from customer card details, to names, addresses, HR records, and customer lists.

Does it apply to small businesses?

Yes — it applies to all companies regardless of size, although there are some rules where SMEs may be exempt. That said, if your business contracts with a larger partner, they may mandate higher standards of compliance in their contracts with you.

As a global leader in payments, the security of our merchants’ data and the data of their customers has always been a key focus for Worldpay. In fact, the regulation enshrines into law many of the processes we already have in place to manage and process this data. One benefit from this is that we’ll be offering you more detailed controls over how you’d like to be contacted by us, e.g. with information about our existing or new products and services.

Will it still apply after Brexit?

The GDPR will certainly apply to all UK organisations from 25 May 2018. Even after Britain is scheduled to leave the EU in March 2019, UK organisations will still be subject to the regulation where EU consumers are targeted. The government is also committed to introducing the same rules in the form of the Data Protection Bill, in order to ensure the free flow of data to and from the EU after this time. The bottom line is that — whether in the GDPR or Data Protection Bill — these new rules are here to stay.

What do I need to do?

In order to ensure compliance with the GDPR before the 25 May 2018 deadline, you should consider the following:

  1. Understand the personal data you hold on customers and employees: How is it captured, how and where is it stored, how do you use it and where is it going? Personal data could include a huge scope of information, from IP addresses to names and emails, so it pays to familiarise yourself with the new rules.
  2. Request consent: The GDPR demands that any consent given by customers for you to use their data must be given unambiguously. You also need to be able to provide evidence, by recording and managing consent, screen against suppression lists and keeping details up to date.  You may therefore want to go through your list of all existing customers to ensure the consent you have obtained is still valid. Pre-ticked boxes or a lack of response is no longer a valid form of gaining consent. Nor can the request be hidden within other policies or in small print on your website. Consent must therefore be clearly specified, freely given and obtained for each new purpose for which the data is processed.
  3. Data access rights: Consumers now have strengthened rights to access all the data that a business holds on them. This includes the right to rectify inaccurate data; the right to object to their data being used, the right to their data being erased subject to certain legal and regulatory requirements), or the right to portability, which involves requesting to export all data for use by another provider. You must therefore have the appropriate measures in place to enable these requests as soon as possible and latest within a month.
  4. Privacy by design: Another major new principle in the GDPR is the idea of embedding data protection into systems and services from the start. Thus, if you’re developing anything, such as new tools, systems or technologies to name a few, consider the use of best practice security and privacy, such as encryption of data, from the outset.
  5. Data breaches: Any major breaches of personal data must be notified to the relevant authorities (the ICO) within a 72-hour period. Thus, you need to put in place an incident response plan to speed up this process and ensure security tools continuously monitor for cyber-attacks. A breach is defined as “destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” so it could mean data theft or even a ransomware attack. It also applies to non-digital data.
  6. Review supplier Terms & Conditions: Ensure any suppliers you use that process personal data meet GDPR requirements. You will need to update contracts to include mandatory clauses found here.
  7. Customer privacy notices: So-called “fair processing notices” will need to be more transparent on how you are processing personal data and be easily understandable and accessible for customers. You should consider: why you’re processing their data; the lawful basis for processing (consent, legitimate interest, etc); the recipient or categories of recipients you’re sending the data to; retention periods or the criteria used to determine the retention period; the data subject’s rights.
  8. Privacy impact assessments: You need to conduct and document risk assessments ahead of any data processing likely to result in high risks to individuals — i.e. obtaining their bank account details. This assessment needs to identify and mitigate key risks and demonstrate GDPR compliance.

Helpful resources

The Information Commissioner’s Office (ICO) is the UK’s data protection watchdog and is a fountain of GDPR knowledge. It has also provided a handy self-assessment checklist.

The Article 29 Working Party also produces helpful data protection guidance for EU businesses.

The legislation itself can be viewed here.