GDPR & Payment data: 4 Things to know
3 May 2018
Updated: 25 October 2019
Time is ticking! The General Data Protection Regulation, or often known as just GDPR, will enter into force in less than a month! Indeed, the deadline to be GDPR compliant is set on the 25th of May 2018. The countdown is on!
Highly affected by the introduction of GDPR are companies dealing with customers’ sensitive data, on this regard the following article will focus on payment data and what merchants need to know to be GDPR compliant.
Online customer Acquisition – The Checkout
Make sure to offer a frictionless customer acquisition. No more paper mandates for your Sepa Direct Debits but focus on digital solutions by offering a completely full stack online payment process. The most important part of your online store is represented by the Checkout, place where users convert into customers and where they provide all their payment sensitive data. To align with GDPR, the best solution for merchants would be to not store payment details as Card Primary Account Number (PAN) for Card transaction, or IBAN details in case of Sepa Direct Debit. If you don’t need it, don’t store it! Unless absolutely necessary, do not store end-users’ payment sensitive data. Merchants are not obliged to store IBANs data and by not storing them, they can assure a stronger protection by erasing a key target for data thieves. As dealing with recurring payments, the best option is to lean on your payment provider, who is authorised to store payment data and will do it for you!
No more hitches with SlimPay Checkout solution, a sleek online payment form, fully digitalized. Conversion rate is maximised thanks to the reduction of steps involved in the payment funnel. → Thanks to the use of Tokens and no storage of identifier, SlimPay Checkout solution is the best way to get GDPR compliant
Automation process – Data detox
The new regulation requires merchants to automate and digitalize their processes. Regarding payment data, data subjects (any individual whom particular personal data is about. i.e. can be consumers of a company) can request to cancel their personal data or to have a report of all the data stored by the company requested. The controller (merchant) has 1 month period time to answer the request of the data subject*. Companies require a quick procedure to identify all the data collected over the time and be able to provide a complete answer to the requests of the data subjects but thanks to the automation of the processes, finding all the data stored will be much easier, therefore no restrains to apply right of access by the data subject (Art.15 GDPR) and/or right to rectification (Art. 16 GDPR) when requested by the data subject.
SlimPay as a processor helps digitalize the merchant’s activity in the payment services by offering a frictionless Checkout to onboard your customers, supporting different payment methods in order to offer the most appropriate one based on their location. Furthermore, thanks to SlimPay Dashboard, you can easily manage all your recurring payments through a single and powerful tool. It helps to follow the status of your mandates, alias and transactions in real time.
* According to Article 12, point 3, of GDPR, the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Data Storage – Security
Under article 32 of GDPR, granting security for personal data becomes an official obligation to Merchants. Indeed, it requires both Data Controllers and Data Processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.
To better guarantee an efficient process, Merchants can entrust the storage of Mandates as well as Card PAN to their payment processors, who will take care of all the legal procedures required. Payment processors are highly regulated and controlled by the law, therefore more trustful in terms of security and law compliance. SlimPay, uses qualified and well trusted partners for the storage of mandates. Thanks to them, SlimPay can guarantee a long term archiving of all its merchants’ electronic mandates, easing their life and complying with legal duration of retention.
Moreover, in terms of security, SlimPay grants the identification of the debtor and guarantees to the merchant that the person authorizing the payment is the data subject. As a matter of fact, SlimPay offers an advance signature solution:
- Uniquely linked to the signatory;
- Capable of identifying the signatory;
- Using electronic signature creation data that can be used by the signatory under his sole control;
- Linked to the data signed therewith, enabling the detection of any subsequent change in the data.
Info – Transparency
GDPR will increase transparency and trust! How can merchants get aligned with this X? Start by informing your end-users/customers who is involved in your payment process, making them aware of who is dealing with their personal data and how these data will be used by the different parties involved in the process. An easy way to do so, is to add the logo of all the parties working with on your website or in your terms and conditions. These latter, will need an update with the introduction of GDPR as they must be easy to understand and straightforward information.
The right to transparent information is the key right!
If you haven’t considered all these factors yet while becoming GDPR compliant, make sure to include them in your process of being GDPR compliant.