The 100-day countdown to the General Data Protection Regulation (GDPR) is well underway, and businesses impacted by the EU regulation should be doing all they can to prepare ahead of the 25<sup>th May deadline. The new legislation will give people greater control over how their personal data is used, and for businesses the costs of non-compliance are severe. In a monetary sense, failure to comply will incur penalties of up to €20 million or 4% of global annual turnover – whichever is greatest. And with Gartner predicting that over 50% of companies will not be GDPR compliant by the end of 2018, the distant threat of these fines will soon become a reality for myriad businesses across the EU and further afield.
In today's digitally connected world, infinite quantities of data are produced by consumers daily, at a mind-boggling pace and volume. Under the shadow of the GDPR, the challenge for today's business is not only tapping these data flows to extract value, but also implementing a heightened level of data security and customer privacy to protect against the possibility of a breach.
With only three months left to prepare, here are the four key considerations for businesses in the coming weeks:
Privacy and data protection: More than just security
Focusing on security without privacy would be like having a house made of bullet-proof, transparent glass. No one will get inside, but an individual's personal life is still on display to all. In today's connected era, organisations should be integrating privacy functions within their business activities alongside data security measures in order to maintain consumer trust in the long-term.
Proactive proof of compliance
The 'but we've always done it that way' excuse will not cut it under the GDPR. Organisations will need to establish and maintain evidence logs in readiness to submit to regulators in the event that a complaint is made against them, and prepare for future evidence that may be required going forward.
Be aware of biometric data
Under the GDPR, biometric data will be classified as 'special category data' meaning privacy, identity and security will be critical to the next generation of data-driven businesses. If biometric data is to be collected, careful consideration must be given to the implications of a data breach where the very essence of an individual, their uniquely personal identifiers, are lost or in some way compromised.
Frictionless payments: a convenience vs security conundrum
Increasing adoption of biometrics and digital identity technologies have paved the way for frictionless payments to become a full-blown reality. But as new and more convenient payment methods come to the forefront, so too do new forms of fraud to exploit them. Paysafe's Lost in Transaction research shows the balance between security and convenience in these emerging technologies is a delicate one, so before businesses look to bring new payment capabilities into their offerings, they should ensure these technologies have the tool kits and resilience to protect data against threats in the post-GDPR landscape.
From a payments perspective, all of these considerations are geared towards the overarching requirement of GDPR: any business operating in the EU needs to be airtight and infallible to the evolving security demands of a changing payments landscape. While this prospect may seem daunting, the key for businesses preparing for the GDPR lies in a simple change of perspective – meeting the regulation's requirements is not a problem to overcome, but an opportunity to be seized.
If Gartner's predictions are validated, only half of businesses will be able to protect their customers' data and privacy to an acceptable standard by the end of the year. This not only leaves the stragglers at risk of significant fines, but also poses a source of competitive edge for those who can comply. A company in compliance with GDPR is one that can offer consumers piece of mind and power over their personal information, and this will prove to be an influential factor on consumer choice following the 25<sup>th May deadline.
The regulation also has advantages for small and medium-sized businesses. In most modern economies, SMBs drive a substantial portion of revenues, and GDPR is intended to make trading easier and stimulate growth in this sector. Being small is less of a disadvantage in today's digital world, because SMBs are more agile and adaptable to changes in data protection requirements. By harnessing the requirement of GDPR quickly, SMBs can level the playing field and increase their competitiveness against bigger organisations.
GDPR will change the business landscape as we know it, and will impact organisations worldwide that have interests, holdings, customers and other touch points within Europe. Clearly, the technical challenges are enormous, even for relatively small organisations. Just knowing where a company's data is located, backed up, viewed and accessed globally – not just by the organisation itself, but by its suppliers too – is a huge and complex exercise in itself. However, even with a project of this size, there are quick wins which can be achieved along the way, and businesses should be aiming to make the most of these opportunities in the final days of preparation.