A Guide to Understanding GDPR Implications For Subscription Businesses

By Catherine Moore, President and Managing Director for J.P. Morgan Merchant Services Europe and William Long, Partner and head of the European Data Protection Practice at Sidley Austin LLP.

In the Subscription Economy, millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.

Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR), a new regulation which aims to give consumers greater rights and security over how their data is used.

GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU, but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance.

Subscription businesses, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.

WHAT IS GDPR?

GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 1995, while eCommerce sales are over €500 billion a year in Europe alone.

The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.

For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.

GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business processing the data of EU citizens, even if not based in the EU.

DATA MANAGEMENT, PORTABILITY AND CUSTOMER RIGHTS

At the heart of GDPR are a number of changes to the way that customer data is handled. Under the legislation, customers will have to give explicit permission for companies to hold data about them. But that’s not all, companies must also provide evidence that this consent has been given. One potential implication is that companies may have to alter their auto-renewal and subscription payment processes.

Companies can no longer store a customer’s personal data simply because it may prove useful in the future, or so they can pass it on to another provider. From now on, the responsibility will be on businesses to justify why they’re retaining customer information, otherwise it may have to be erased.

Subscription businesses will particularly be impacted by this since they store a variety of data that helps them gain insights into customer behaviour such as usage, profile, etc.

GDPR: KEY IMPLICATIONS FOR SUBSCRIPTION BUSINESSES

  • Consent: Companies will have to actively get consent to store a customer’s personal data.
  • Customer profiling: New restrictions on using data for customer profiling
  • Security and data breaches Data breaches have to be reported within 72 hours of discovery.
  • Data portability: Consumer has right to request transfer of personal data in certain circumstances.
  • Data transfer: Prohibitions on transferring data to non-EEA* countries without adequate safeguards.* The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.
  • Right to be forgotten: A business must erase an individual’s personal data in certain circumstances.
  • Security: Businesses must have security systems that are appropriate to the level of risk.

Businesses will need to implement new policies on data retention and deletion, particularly when customers do not give them permission to store data about them. The “right to be forgotten” is a particular challenge for organisations because of the rich web of information that’s held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone’s personal information from all of their payment transaction record histories; if they so request.

It’s also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request.

TIMESCALE

Given that GDPR becomes law in May 2018, businesses should already be looking at how GDPR will have an impact on their procedures. Under the regulation, firms can face fines of €20 million or 4 percent of global revenues, whichever is greater. And that’s just for ‘serious breaches’. Such things as failing to keep proper breach logs, or failing to report a breach within a set timescale, will carry fines of up to €10 million or 2 percent of global revenue.

GDPR also allows individuals to make a claim for damages for non-financial loss. Companies, and third party payment providers, who may unknowingly store credit card details, are frequent targets for attacks by cyber-criminals so they will have to ensure especially tight protocols in this regard. Payment providers may also start offering value-added data protection services as a means of reducing the investment required by businesses, and helping them win more business.

One area that will also be changing is the credit card authentication standard PCI DSS. Although this is unconnected to GDPR, a new standard, PCI DSS 3.2 is set to become operational in February 2018. Companies who implement this standard will be some way to becoming GDPR compliant, at least as far as payments are concerned. For example, multi-factor authentication (MFA) becomes mandatory in PCI DSS 3.2, offering retailers a way of protecting customer personal details.

CONCLUSION

Companies are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.

GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.

The organisational changes will mean greater transparency and will also offer more security for customers. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers.

In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don’t delay, however, the time for action is now: companies who haven’t started thinking about it, may find it’s already too late.