Now more than ever, personal data is at the top of mind for both businesses and their customers. How much is being stored? How is it being protected? How is it being used?

A new law enacted by the European Union is designed to alleviate some of that anxiety, and it’s being called history’s most powerful privacy law. The General Data Protection Regulation (GDPR) goes into effect at the end of this month, and it applies to any organization — regardless of where it’s headquartered — that serves individuals in the EU. That means these new regulations are likely to have an impact on your business operations, so let’s take a look at what GDPR entails and how it might affect data security practices, especially where billing is concerned.

What is GDPR?

The goal of GDPR is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. The regulations aim to allow individuals to control the use and storage of their own data, including any personal identifiable information.

The regulations break this data down into two categories:

• Personal Data includes information like names, e-mail and postal addresses, phone numbers, usernames, IP addresses and credit card numbers. Think: the data you might have to input when you order a product online.
• Special Category Data includes information that reveals race or ethnicity, political or religious leanings and genetic, biometric and other health-related data. Think: information that could be mined from places like your Facebook feed or your Instagram posts.

GDPR also defines the two types of third-party entities that may access or store individuals’ data:

• Controllers are merchants and other companies that interact directly with consumers, collecting personal data. The controller is the entity that makes decisions about how the data will be used, or processed.
• Processors are companies that store and catalog that data on behalf of the controllers. “Processing,” which refers to any operation (manual or automated and including but not limited to collection, recording, organization, storage or use) that is performed on personal data, is the activity that triggers GDPR obligations.

Along with these distinctions, GDPR outlines several new compliance requirements and user rights around personal data security and identification, transparency, breach detection and privacy training for personnel and employees.

How Will GDPR Impact Your Organization?

GDPR will affect both controllers and processor requiring changes to multiple departments and business processes, from legal to IT to marketing.

Under these new regulations, processors can be expected to store and use personal data. They will have 3 key obligations:

• Securing the data and only using it for the purpose(s) authorized by the individual.
• Ability to provide an individual a report of how their data is being used.
• Ability to “forget” the individual within their systems.

Processors are required to support the controller in meeting these obligations. As such they will need to provide the ability to delete or anonymize personal data at the request of a controller, to provide transparent reports on what data is being held in the system for any given individual and to notify controllers in case of any data breach. Note: Only under very special circumstances would they handle special category data.

Companies may be just one or the other — processor or controller — but a lot, like Gotransverse, are both processor and controller. Gotransverse is a controller based on the collection of data in our marketing programs and website and we’re a processor in terms of the data our clients send to our system on behalf of their customers so that we are able to manage the Accounts Receivable lifecycle on behalf of our clients. It’s important to understand the regulations and implications for both parties and where you and your company fit.

Finally, it’s important to note that the new law comes with steep fines for noncompliance: up to the greater of 4% of annual revenue or 20 million euro.

GDPR Goes Into Effect on May 25, 2018

Considering the complexity of the regulations and the consequences of noncompliance, we recommend that organizations look for third-party partners that can help clarify GDPR regulations and make any necessary updates to systems and processes.

At Gotransverse we understand that a company's data, including any and all information about their customers, is the lifeblood of the business. As such we have always considered the protection of this data an integral part of doing business. Our adherence to the principles of GDPR is no exception.

To learn how we are working alongside customers to ensure their intelligent billing platforms are GDPR-compliant, contact us at info@gotransverse.com today.

Disclaimer: This post is for informational purposes only. It is not intended to be legal advice.

Geoff Coleman is the Chief Operating Officer at goTranverse. Geoff has over 25 years of technology experience, with a 20-year focus on the billing industry. Prior to joining Gotransverse, Geoff was associate vice president for business support service product offerings at Comverse.