The General Data Protection Regulation which aims to protect the personal data of EU citizens will be enforced from 25th May 2018. It’s an extension of the Data Protection Act (DPA) with greater rights for individuals and requires companies – even non-EU organisations - that do business in the EU with EU data subjects' personal data to put in place clear policies and procedures to protect that data.

Retailers and merchants across all sectors will be some of the most severely affected. For those organisations who have complied with the DPA, the transition to a GDPR world should be straightforward but, as always, the devil is in the detail. Businesses should waste no time in assessing what they need to do and putting a detailed plan in place.

If you’re hoping that Brexit will help you avoid the challenges of GDPR, think again! UK organisations handling personal data will still need to comply with the GDPR as it will come into force before the UK leaves the European Union, and the government and Information Commissioner have confirmed that the Regulation will still apply.

We’re finding that there is a great deal of ignorance about GDPR and an equal level of misinformation. As you might expect, fear mongers are jumping on the bandwagon, drawing attention to the increasing level of penalty that can be applied. Under the DPA, the maximum fine that the ICO could levy is £500,000, though they’ve never issued a penalty higher than £400,000. The new limit is €20 million or 4% or annual global turnover – whichever is greater, so it’s understandable that the fear factor looms large! There are plenty of generic, one size fits all, conferences, websites and flyers but I urge caution as there’s a real lack of factual, independent information that gets down into the detail of what organisations are going to have to wrestle with over the next year so I suggest that a wide range of viewpoints are sought before committing to your GDPR programme.

It’s clear that this presents a serious burden for companies and, for those who remember, I believe it ranks in the same category as a Y2K programme, both in overall magnitude and the impact on business continuity and risk; bigger in terms of the extent to which it will affect people and processes, as well as technology. 
 
I’m seeing some organisations in the payments world trying to persuade their merchant customers that they can help solve all their GDPR challenges. Again, I recommend caution! Whilst the lessons from PCI and payment data security policies and processes that have been put in place over past 10 years will provide a great springboard for a GDPR programme, the payment data security aspects of GDPR will generally only be a small dimension of the overall scope.
 
This is going to need a coordinated approach; there are so many disparate but interconnected repositories of PII that we risk triggering unintended consequences if the data matrix in your business is not correctly mapped.
 
Vendorcom first started looking at this subject as far back as 2013. On 25th May, with 365 days til the Regulation is enforced, we ran a briefing for merchants and their personal/payment data centric systems providers to meet the need for independent, merchant-relevant, authoritative information. If you want to see the presentations, get connected to the speakers stay informed of future Vendorcom GDPR briefings, just get in touch with me.  I’m confident that across our quarterly Future of Payments Conferences, Legislation & Regulation, Payment Security & Risk Management and Identity & Authentication Special Interest Groups, as well as specific GDPR Briefings, this challenging legislation will be centre stage for the next couple of years.