You may have recently heard the acronym GDPR buzzing around your office lately. Some of you may have smiled and nodded, feigning interest or understanding. Well, now is the time to get interested. The EU’s new regulations are not only important but could mean some changes to your business operations.
Strong cybersecurity is a multi-layered and complex effort. There’s one area many companies could improve upon which they don’t even realize is a problem: Replacing the human vulnerability of manual fraud reviews with automation.
Um, What Was That Acronym Again?
GDPR or what the EU calls their General Data Protection Regulation, is a data protection directive that is set to streamline data privacy laws across Europe and reshape the means by which merchants throughout the region approach data privacy.
So What’s the Bottom Line?
Let’s cut to the chase. The bottom line here is that all retailers dealing with personal and private data will be affected by GDPR which formally takes effect in May 2018. Merchants that are non-compliant are likely to face heavy fines. Penalties could amount up to 4% of annual global turnover or €20 million (whichever is greater).
Ch-ch-ch-changes.
Significant changes to the previous data privacy mandates of the EU will be rolling out with GDPR. Here are the aspects you need to know so your online store will be ready:
- Extended jurisdiction — Perhaps the biggest change to the new privacy and data protection regulations will be the extension of these rules as they apply to any merchant or retailer dealing with personal/private data of individuals who reside in the Union. Even if your business is a non-EU entity, but you touch or have access to EU resident data from your customers, you will be required to have an appointed representative attached to this issue.
- Consent — Consent conditions will be strengthened. Consent conditions will no longer be permitted with paragraphs of legalese, instead consent must be in clear and distinguishable language for your customers to easily understand.
- Breach Notifications — If data has been breached, merchants will be responsible for reporting this to their customers and clients within 72 hours of identifying the issue. (Please refer to the GDPR key changes document for specific language).
- Right to Access — This new stipulation allows customers to request from the merchant whether their individual personal data is being used by the business. This right is to further establish transparency and give more access to individual customers regarding how and why their private data may be being used.
- Right to be Forgotten — Also called “Data Erasure,” entitles customers to request that their personal data be “forgotten” or erased from the merchant/store’s use and to request halt of further dissemination of data.
- Data Portability — A new condition introduced with GDPR, gives customers the ability to request their personal data, receive it, and transmit it to another controller.
- Privacy by Design — A tenant of the GDPR which now will be a legal requirement, calls for the inclusion of data protection from the beginning of the designing of systems, rather than as an additional afterthought.
- Data Protection Officers — A Data Protection Officer (DPO) must be appointed to controllers and processors whose fundamental and core activities consist of processing operations which require ongoing and systematic monitoring of customers and customer data on a large scale, especially if any of the data relates to criminal offenses or convictions.
Protecting Your Data, Always
GDPR is an important step for data protection not only in the EU, but globally. As the online market continues to grow, the risks for large data breaches (think Equifax), have the potential to continue as well.
We here at Forter, are GDPR ready. Any data that passes through our gates is highly protected and only accessed on an as-needed basis. Nearly two years ago, our CEO Michael Reitblat discussed how important data protection is and how automated systems like ours, in fact ensure that data is better protected. Forter is PCI Level 1 certified, and also has SOC2 Type 2 certification. We remain ever-cognizant of the consistent need for the protection of private data and understanding the growing demand for increased security.
By automating manual reviews and decisions here at Forter we ensure your sensitive data is not subjected to manual reviewers. It gives back the power of least privilege. The job of your fraud team is to prevent loss to the company, both by stopping fraud and by removing friction from fraud prevention so that it’s not discouraging sales. But many fraud teams still rely on the manual review of transactions – and that means, ironically, that they’re potentially a huge source of loss. With Forter, instead of teams of manual reviewers potentially deep diving into your data on a regular basis, in our system, automation leads to increased security, as data is only accessed as needed when our experts require it to fulfill their job functions.