There’s been a lot of buzz around the recently introduced General Data Protection Regulation (GDPR) and many businesses are unsure of the steps to take in relation to their payment data.
Firstly, it’s important to understand that the legal basis for processing payment data can be different from processing marketing data. For example, when you market to people, you need to get their consent – that’s straightforward. But for payments, is it consent? Or is it something else?
Performance of a contract
There’s several reasons why you can legally process data under GDPR. When it comes to payment data the obvious reason is the performance of a contract, i.e. I need this information, so I can provide you with the goods or services requested.
The interesting thing about using a contract as a basis for processing data is that it’s not dependent on continued consent if the use of the data is required for the product or service’s lifecycle (such as subscriptions, warranties or credit card chargebacks). You still can’t use this data for any other purpose. But it’s much easier to prove you’re providing goods or services than proving that you have consent or dealing with consent withdrawals.
Dealing with consumer rights
GDPR groups data roles into three categories. The data subject: the consumer, the data controller: the business, and the data processer: a third-party processor instructed by the data controller.
As the data controller, you’re responsible for the relationship with the data subject. You may instruct a third party to process the data, but it’s your job to set the purpose and legal basis for the processing. All third parties must abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (DPA) with each one.
Dealing with data subject rights
There are some interesting details around Data Subject Rights which have been established under law, especially when it comes to payment data. Data subjects have the right to access all data a business holds about them at any time. This includes payment data, and a question I get a lot is: What do I do if a customer demands to see their data?
The data processor (in this case a payment service provider, or PSP), is under a legal obligation to assist the data controller to provide this information. Simply contact your PSP requesting the necessary data.
One thing to bear in mind is that there’s a big risk around Data Subject Right Requests – they can be used for fraud. Companies must therefore be careful to authenticate the customer before providing the information. Businesses don’t want an identity thief to exploit their system to steal consumer information.
The Right to be Forgotten – what data you can (and can’t) delete
Another important Data Subject Right is what’s known as the Right to be Forgotten or a Subject Erasure Request (SER). In a marketing context, this means deleting every record of the consumer and never contacting them again. But it’s not so clear-cut when it comes to payment data, and there are situations when certain data can’t be revoked.
For example, in a product sales scenario, where there are statutory warranties in place, there’s a chargeback period of up to three and a half years for some card brands. Or, if a customer has an annual subscription, which hasn’t been cancelled, companies need to keep the data to continue billing.
It could be that a customer asks to be forgotten because they’re sick of marketing emails. Good customer service means listening to customers, asking questions, and resolving their issues. It’s up to organisations to explain what information can be deleted, and which must be held for a certain period for compliance reasons.
GDPR is not a sprint, it’s a marathon
Regulators will be looking at companies over time, so they need to make sure that they have a long-term solution in place. Businesses must ensure they have DPAs with all their suppliers. This is critical for compliance. They should also think very carefully about their privacy policies and legal basis for processing data.
By starting with these small steps, organisations can then look to fill in the gaps from there. Of course, it’s early days, and the regulations will become more clearly defined as GDPR is put into practice. Ultimately organisations need to remember that GDPR is the impetus to do the right thing. As a consumer myself, I really value it – and I think customers will too.
By Peter Cooper, Information Security Specialist, Adyen