GDPR and the Importance of Security in Billing

We wrote recently about the importance of finding a subscription billing management platform you and your customers can trust to keep both their personal and financial data private through security best practices and regulatory compliance. You can read the full post here, but the bottom line is that now more than ever, personal data is at the top of mind for both businesses and their customers. To tackle this subject, we ask ourselves the following questions: How much is being stored? How is it being protected? How is it being used?

To help alleviate some of that security-related anxiety, the European Union enacted what’s been referred to as history's most potent privacy law in May of 2018. The General Data Protection Regulation (GDPR) applies to any organization that serves individuals in the EU, regardless of where a company is headquartered. That means it’s likely that these regulations are impacting your business operations, so let’s take a look at what GDPR entails and how it affects data security practices, especially where billing is concerned.

What is GDPR?

The goal of GDPR is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. The regulations aim to allow individuals to control the use and storage of their data, including any personally identifiable information.

The regulations break this data down into two categories:

• Personal Data includes information like names, e-mail and postal addresses, phone numbers, usernames, IP addresses, and credit card numbers. Think: the data you might have to input when you order a product online.
• Special Category Data includes information that reveals race or ethnicity, political or religious leanings, and genetic, biometric, and other health-related data. Think: information that could be mined from places like your Facebook feed or your Instagram posts.

GDPR also defines the two types of third-party entities that may access or store individuals’ data:

• Controllers are merchants and other companies that interact directly with consumers, collecting personal data. The controller is the entity that makes decisions about how the data will be used or processed.
• Processors are companies that store and catalog that data on behalf of the controllers. “Processing,” which refers to any operation (manual or automated and including but not limited to collection, recording, organization, storage, or use) that is performed on personal data, is the activity that triggers GDPR obligations.

Along with these distinctions, GDPR outlines several compliance requirements and user rights around personal data security and identification, transparency, breach detection and privacy training for personnel and employees.

Is Your Organization GDPR Compliant?

GDPR affects both controllers and processors. When it went into effect in 2018 (and for businesses just beginning to serve customers in the EU any time after that), it required changes to multiple departments and business processes, from legal to IT to marketing.

Under these regulations, processors are expected to store and use personal data assuming they meet three essential obligations:

• Securing the data and only using it for the purpose(s) authorized by the individual.
• Ability to provide an individual a report of how their data is being used.
• Ability to “forget” the individual within their systems.

Processors are required to support the controller in meeting these obligations. As such, they will need to provide the ability to delete or anonymize personal data at the request of a controller, provide transparent reports on what data is being held in the system for any given individual, and notify controllers in case of any data breach. Note: Only under exceptional circumstances would they handle special category data.

Companies may be just one or the other—processor or controller—but a lot, like Gotransverse, are both processor and controller. Gotransverse is a controller based on data collection in our marketing programs and website. We're a processor in terms of the data our clients send to our system on behalf of their customers. Thus, we can manage the accounts receivable lifecycle for our clients. It’s important to understand the regulations and implications for both parties—and where you and your company fit.

Finally, it's important to note that the law comes with steep fines for non-compliance: up to the greater of 4 percent of annual revenue or 20 million euro.

GDPR—and General Billing Security—Starts With the Right Platform

Considering the complexity of the regulations and the consequences of noncompliance, we recommend that organizations look for third-party partners that can help clarify GDPR regulations and make any necessary updates to systems and processes. In addition, organizations should be asking serious questions about any potential vendor's security capabilities, including GDPR compliance and certifications such as PCI DSS (credit card information security) and SOC 1 and 2.

At Gotransverse, we understand that a company's d (including any and all information about their customers) is the lifeblood of the business. As such, we have always considered the protection of this data to be an integral part of doing business. Our adherence to the principles of GDPR—and other security and compliance best practices—is no exception.

To learn how we are working alongside customers to ensure their intelligent billing platforms are GDPR-compliant, contact us at info@gotransverse.com today.

Disclaimer: This post is for informational purposes only. It is not intended to be legal advice.