GDPR: New European Data Protection Rules Bring Changes for PFs

Payment facilitators doing business in Europe have work to do, if they’re going to be ready for the new data privacy rules that will be effective in May.

According to Tim Buckingham – co-founder of Payment Services Consulting, a U.K. firm that provides legal, compliance and risk advice to the payments industry – the work for many has already begun.

Buckingham will present a session on the European regulatory environment for the Merchant Acquirers’ Committee (MAC) Annual Conference on March 14. He is a member of MAC and an advisor to its board.

One of the top compliance issues in Europe right now is adherence with the General Data Protection Regulation (GDPR). In April 2016, the European Union Parliament approved the regulation, which aligns and strengthens data privacy laws among the European Union’s member countries. It goes into effect May 25 across Europe and the U.K.

For payment facilitators, GDPR is likely to impact three areas, Buckingham said. Most PFs will likely hold personal data for their employees and submerchants. They will also handle it when processing transactions.

Fundamentally, the new regulation represents two major changes. The first is the need to obtain direct and effective consent for a specified use of the individual’s personal information.

If a PF is gathering data from clients for AML / KYC use but also intends to send marketing messages to those clients, for example, it will need to update forms and contracts to obtain proper consent.

“The PF must know what it’s going to use the data for, then it has to make sure it has the right consent to use it for that purpose,” Buckingham said.

The second change is the notion that a person has a right to be forgotten, he said. Once the regulation is effective, European individuals will be able to write to a business that has their personal data and tell them to delete it. Provided that the business has no proper need to retain the data, it has to comply.

For a payment facilitator, dealing with this change involves not only the ability to delete the data upon request, but knowing with certainty where the data is, he said.

“If you don’t know where you store your data, you can’t delete it,” he said.

While larger organizations will likely have in-house data protection personnel, smaller companies will likely look to outside consultants to help them first identify any gaps within their current systems and make recommendations, and then to implement the needed changes.

“I think we’ve set the bar higher in Europe, so that anyone who contracts with a European entity is probably going to have to spend a bit of money to get their service up to speed,” he said.

If they haven’t already, PFs will soon start receiving questionnaires from their acquirers. They need to take those questionnaires – which ask them for details about the systems they have in place to comply with GDPR – very seriously, Buckingham said.

“They do need to answer the questions in a pretty thorough way,” he said. “They need to know what they’re going to say, or they could lose business.”

Buckingham will provide further insight about this and other European regulatory topics during his session at the MAC conference. MAC is a payments industry organization focused primarily on risk management. Its members include representatives from acquiring financial institutions, payments processors and payment facilitators, among others. Its annual conference is scheduled for March 13-15 in Las Vegas.