Working hand-in-hand with you on GDPR compliance

As a medium-sized business it’s important to ensure you always operate within the law. But that can be quite a challenge, especially as most business owners are not legal experts. That’s where Worldpay can help by providing some top tips on how to stay compliant with any new relevant laws.

One major new piece of legislation to affect both Worldpay and our customers is the EU General Data Protection Regulation (GDPR). Brought into force on 25 May 2018, it applies to any business processing personal data on EU citizens or who operates within the EU and seeks to unify and strengthen data protection for customers and employees, also known as data subjects. Maximum penalties could potentially reach €20m (£17m) or 4% of global annual turnover, whichever is higher.

Here’s some key advice that could help with your compliance efforts, plus information on Worldpay’s approach to GDPR compliance.

Does GDPR apply to small businesses?

Yes — it applies to all companies of all sizes who are based within the EU or process personal data of EU citizens. Although SMEs may be exempt from certain parts of the law, if you do business with a larger partner, they may mandate higher standards of compliance in their contracts.

Will GDPR apply after Brexit?

The government has introduced similar rules inspired by the GDPR in home-grown legislation the Data Protection Act 2018, so that data can flow freely across the Channel. This means that even if the UK leaves the EU in March 2019, UK companies will most likely still need to meet the same requirements.

What do I do next?

If you still don’t have a compliance plan, don’t panic. The regulator has promised to be “fair and proportionate” and will take account of those firms doing their best to be responsible and accountable. Here’s a quick checklist of key elements to think about:

  1. Understand your customer/employee data: Ensure you know what personal data you collect and process and then answer key questions like: How is it captured? How and where is it stored? How do you use it and where is it going?

  2. Consent requirements: The GDPR does not allow pre-ticked boxes or a lack of response as a valid form of gaining consent. Nor does it allow consent forms hidden away in T&Cs. Consent must be obtained clearly and unambiguously for all current and future customers, in plain English.

  3. Individual rights: You will need to support newly expanded rights customers have to access their data. Requests which could follow may include to rectify inaccurate data; erase data subject to certain legal and regulatory requirements; export all data for use by another provider; and respond to objections about how their data being used. The timeframe to comply with these requests is 1 month.

  4. Privacy by design: is a new principle introduced in the GDPR which means if you’re developing any new products or services, privacy must be considered from the development stage and throughout the lifecycle.

  5. Data breach notifications: Any major breaches of personal data must be notified to the relevant authorities (the ICO) within a 72-hour period. So you’ll need to ensure you have appropriate security processes in place to monitor for and block cyber-attacks and an incident response plan in case the worst happens.

  6. Focus on suppliers: Ensure any suppliers you use that process personal data meet GDPR requirements. You will need to update contracts to include mandatory provisions found here.

  7. Privacy notices: “fair processing notices” will need to be more straightforward and transparent about how you are processing personal data. Consider why you’re processing their data; the lawful basis for processing (consent, legitimate interest, etc); the recipient or categories of recipients you’re sending the data to; retention periods or the criteria used to determine the retention period; the data subject’s rights.

  8. Privacy impact assessments: conduct and document risk assessments before any data processing likely to result in high risks to individuals takes place.

The Worldpay approach

Worldpay is also compliant with the GDPR, which is good news for our customers. A detailed summary of our approach to Privacy and GDPR Implementation and some Frequently Asked Questions will help you understand more. However, if you don’t have time to read through these, here’s a bit more information to bear in mind:

  • The GDPR reinforces privacy principles which have been in place for years, so it’s not entirely new
  • GDPR rights were primarily designed to establish controls for largely unregulated, consumer-facing, data-driven tech businesses rather than for the payment and financial services industry
  • The GDPR’s aim is to update existing frameworks like the EU data protection directive
  • Worldpay has already embedded the key principles mandated by the EU data protection directive and other laws/regulations into its processes and operations
  • As a result, Worldpay is confident in its approach to GDPR compliance and committed to protecting our customers and payment users’ privacy

Further reading

The Information Commissioner’s Office (ICO) is the UK’s data protection watchdog and GDPR regulator. It has also provided a handy self-assessment checklist.

The Article 29 Working Party also produces helpful data protection guidance for EU businesses.

The GDPR legislation can be viewed in full here.