GDPR is Here: What This Means for FinTech and Payment Systems Companies
Mandatory compliance with the European Union’s General Data Protection Regulation (GDPR) took effect in late May 2018. A firm understanding of GDPR and what it means for Payment Systems and FinTech companies is necessary in order to remain compliant, and to ensure that clients also remain compliant.
GDPR at a Glance
In essence, GDPR calls for data “pseudonymization,” meaning all personal data must be stored separately in a company’s system.
The principle behind GDPR is simple. Don’t put all your eggs (data) into one basket. Why? The longer a hacker must navigate around a system, the greater their chances of being detected. Traditionally, merchants and companies that hold consumer information have put firewalls in place and segmented various layers of security. However, this also allowed them to keep all of an individual’s information in the same place. If a hacker breached the database, everything they needed was within reach. They could get in and out in the blink of an eye. GDPR will make the path longer and more difficult for hackers and will give companies a better chance of detecting breaches before they become catastrophic.
In order to remain compliant with GDPR, payment companies will need to store consumers’ data in separate areas. Names might be kept separate from their payment credentials and address, for example. Under GDPR guidelines, companies must keep social security numbers separate from other information.
Not only will this system make data more difficult for outsiders to access, it will also help protect data from employees who might be tempted to download customer data from the inside. Companies must divide access among different segments among different people, making it impossible for one person to get an entire profile without the help of others.
GDPR is Good for Payment Processing
GDPR aims to strengthen privacy and data protection rights of European consumers, which will build trust in e-commerce merchants and payment processers. To “persuade” adoption, the penalty for non-compliance is hefty – as much as 10,000,000 Euro or 4 percent of the offending company’s annual revenue. The penalties are not uniform, giving regulators leeway to “make examples” of specific companies found in violation. Article 83 of the GDPR states the nature and gravity of the penalty and the number of consumers impacted will impact fines and will be doled out on a case-by-case basis.
It is critical for U.S. merchants and payment processers to understand GDPR and get into compliance immediately. Even if a company is based in the U.S., if it has customers in the UK and/or EU, that business is subject to GDPR rules.
FinTech and Payment Systems companies should look at GDPR as an opportunity, rather than a burden. Navigating the current landscape, leveraging opportunities, and delivering exceptional, compliant service will be critical for growth. If you are looking for FinTech and Payment Systems pros who can help your firm take advantage of new opportunities with GDPR, contact the expert recruiters at MoneyTech Search today.