gb United Kingdom
gb United Kingdom
+ More

Resources

+ More

Industry Insights

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) aims to harmonise data privacy laws across the EU. It will give control back to citizens over the collection, storage and use of their personal data. It updates many aspects of previous legislation, the Data Protection Directive 95/46/EC, and includes new concepts like penalties, specific protection for children and data portability.

How aware is your company about the personal data you hold?

  • 8% Very, we have a map of all PII data flows
  • 61% Quite, we understand what PII data we hold
  • 26% Not very, we need to take steps to understand what PII data we hold
  • 1% I don’t know what PII data we hold
  • 1% Does not apply, we don’t hold PII data

Source: Understanding GDPR Webinar

What is the GDPR?
The General Data Protection Regulation (GDPR) aims to harmonise data privacy laws across the EU. It will give control back to citizens over the collection, storage and use of their personal data. It updates many aspects of previous legislation, the Data Protection Directive 95/46/EC, and includes new concepts like penalties, specific protection for children and data portability.

When does the GDPR start?
The GDPR is already in place – it came into force on 24th May 2016. A 2 year transitionary period is underway, with enforcement applicable in all EU states from 25th May 2018.

Why has the GDPR come about?
Data is now the new currency driving a wave of unauthorised access and data breaches. This can have a huge impact not only on those whose data is stolen but for the organisation it was taken from. Data is vital for businesses to trade and for people to transact, and GDPR will provide more restrictions and protocols to protect word or numeric based personal data throughout its lifecycle.

What general impact will the GDPR have?
The GDPR requirements will affect all companies regardless of size or turnover, if they store data on any natural person or ‘Data Subject’ who is an EU citizen. Specifically all organisations will need to take enhanced privacy and protection measures around any personal data they may hold and process for EU citizens. This means both operational and technological reviews are needed as all organisations will need to demonstrate how personal data processed and what protection is given against unauthorised access, unlawful misuse, accidental loss destruction or damage. There are also new guidelines on how breaches need to be reported, which will require internal training for many organisations.

These stricter rules will be enforced by the European Data Protection Board who will be able to enforce periodic audits, warnings and ultimately heavy monetary penalties.

How will GDPR affect me?
GDPR compliance will make collecting, processing and storing data more complex. It will not just affect one department, but many and so it is advised that you have a “task force” approach across your business to assess the impact GDPR will have and to implement the changes needed.

After 25th May 2018 you will not be able to use and process personal data unless you have gained explicit consent to do so. So if your business relies on processing payments and collections for example, you may need to make process and technological changes in order to be compliant. Specifically you will need to be able to record consent for the processing of personal data and demonstrate why a person’s data is needed, how it is going to be used and that it is being kept as securely as possible.

In addition, you must be able to provide evidence, if asked, that you comply and all measures have been taken to ensure the safety and security of personal information both at rest in your databases and whilst it is being processed.

Non-compliance will put you at risk of some heavy fines. Although penalties will depend on severity they can be as high as 4% of annual global turnover or €20 Million- whichever is greatest. You could be fined 2% for simply not having your records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.

If you are classed as a data owner and send personal data to a 3rd party for processing you will be legally responsible for it in both cases. Contracts you have with partners that process your data on your behalf will need to be looked at to reflect the GDPR.

It is worth noting that any regulations you currently uphold from other Financial Services directives may seem to conflict with GDPR. It is recommended that you seek legal advice on your unique regulatory position and what your appropriate GDPR response should be.

What do I need to comply with the GDPR?
Evaluate the data you hold. GDPR applies to any personal data classed as structured (system-held) or unstructured data (emails, printed documents, spreadsheets). This also applies to personal banking details you collect in order to receive and make payments, contact details and email addresses for marketing purposes, extending to IP addresses and biometric and even genetic data. All personal data kept must be easily identifiable during the time you are using it, easily reportable and transferable; it must be as easy to withdraw consent as it is to give it. Building all data into an organised catalogue will be critical to meeting requirements of the GDPR as you could be asked to show how your data is stored at any time.

Gain consent and record it. You will need to capture consent to use a person’s personal data along with information relating to how and when you obtained consent and the purpose it has been collected for. This may mean a change in the type and amount of data you collect today and systems and processes will need to be able to cater for this accordingly. You must now also be able to gain and record additional parental consent where data relating to a child under 16 is collected for processing.

Secure and protect the data you hold. You must assess how you protect the data from damage and misuse. Meeting security standards for GDPR will rely on adopting the right technology which again you may be asked to demonstrate. Solutions that provide extra layers of security for access; monitoring, anomaly reporting and encryption solutions are now being seen as the silver bullets for compliance with many regulations in play today including GDPR. To get more detail on changes you may need to make, read our info sheet on the top 10 changes.

How can Bottomline help?
You are responsible for making your company compliant with the GDPR but as a payments technology vendor we can help accelerate and automate your processes so it is easier to consolidate, manage and protect personal payment information you may hold. Our solutions help you to:

  • Gain structure for your data helping you to keep it accurate and easier to process and update
  • Limit unauthorised access through Multi Factor Authentication
  • Real time monitoring of your payment data
  • Encrypt your data at rest or in transit

Our secure cloud based solutions deliver the most economical and viable way to adapt to and take advantage of industry events minimising disruption to your business

Our View on GDPR
While the UK remains in the EU, all businesses will have to adhere to the GDPR. A new Data protection bill currently going through parliament will then replace this. Protection of personal data in whatever format from either operational misuse, manipulation or 3rd party extraction are integral to both these directives and we believe this will continue to be addressed as part of other forthcoming regulations. Companies who proactively invest efforts in anticipating the evolving risks and subsequent regulations will be embracing a duty of care to their customers and demonstrating a corporate responsibility which may be favourable to future investors, partners and customers.

Cash is the lifeblood of any organisation. Whether you need to pay or collect, there’s an easy way to do both with PT-X.

Continuing Content

On-Demand Webinar

Understanding General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new piece of privacy regulation that is due to become law on 25 May 2018. Get started on managing GDPR for your stakeholder data by watching our expert-led webinar Understanding GDPR

White Paper

GDPR Document Management Compliance with Transform

With GDPR (General Data Protection Regulation) in effect from 25th May 2018, secure document management processing is vital to the implementation of best practice data protection measures.

Want to discover more about this or other Bottomline solutions? Let's talk

Contact Us:

For Customer Support and Services click here.