Even with a head start on GDPR, some U.S. companies risk missing the deadline
As U.S. companies race to get their data handling practices in order to comply with the European Union's General Data Protection Rule, payments companies may be a step or two ahead of the pack — but that's not diminishing the amount of work to be done, nor the potential that many companies won't be ready.
The GDPR takes hold May 25 in Europe, changing the way that global companies dealing with European consumers will handle or store their personal or payment data.
The new rule essentially says the consumer "owns" that data and no one else can use it for any purpose without permission. U.S. companies inform American consumers that their data might be used for marketing or advertising purposes unless they advise otherwise, whereas the GDPR says the opposite.
Under GDPR, nothing can happen with the European consumer's data unless they explicitly opt in. American consumers tend to ignore the fine print on company statements regarding the potential uses of their data, leading to an environment where companies expect them to opt in by default.
"There are a number of U.S. financial services companies that are vastly unprepared for what they need to do to comply with GDPR," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "Some firms are all over this and ready to go, and some are only just now coming to the realization that they have an obligation if they are doing business with European citizens, and they are way behind."
Companies whose core business is data-focused and those with substantial European presences are generally well prepared, Conroy said. "But there are many firms where business with European citizens is a more incidental part of their business, and I think a lot of those are quite unprepared," she added.
The GDPR calls for attention to detail in handling data, calling for companies to be able to tell an inquiring consumer, at any time, where his or her data is stored and why. Many security experts have said this will be a revealing facet of GDPR because many companies don't know the exact data trails they create.
But it is all happening for a significant security reason, said JoAnn C. Stonier, who was recently named Mastercard's first chief data officer.
"For us at Mastercard, security has always been part of our value proposition, but the GDPR and payments directives in Europe also place that value on security," Stonier said. "From a security perspective, the GDPR has created the first comprehensive breach law in Europe."
Many facets of GDPR are cyber- and security-minded, Stonier said, especially the requirement that data sets undergo pseudonymization, or the process of splitting up personal data, so that all of the information about a consumer can't be found in one place.
"As a method of data protection, that really removes identifiers to make it hard for the data to be traced back to an individual," Stonier said.
Payments companies have systems and processes in place that put them in the forefront of understanding their data, where it goes, why it is moved, where it is stored and what it might be needed for in the future.
"I can't speak for my peers, but Mastercard has looked at GDPR as an opportunity to look at how we are doing now and what we want to do in the future, and what needs to be done to comply with a law like this," Stonier said.
It's a different standard for U.S. companies to comply with because it sets a high baseline that values data as a fundamental human right, Stonier added.
But it doesn't seem likely Mastercard and others will have to totally revamp procedures and processes just to adhere to standards concerning European customers.
"We are not sure it will show up exactly the same in all markets," Stonier said. "The baseline will be the same for us, because a lot of our products are created for a global marketplace and we don't recreate things, necessarily, in order to treat consumers in Europe differently than in other markets."
Online interactions are to become more stringent, especially regarding consent to use data in other manners. But most companies are viewing GDPR as a way to bolster what they feel is already a strong commitment to security in an era of constant cyber threats.
Indeed, GDPR compliance makes for a better company, said Ron van Wezel, a senior analyst with Aite Group.
"The GDPR forces companies to include data protection and privacy into the design of their processes," van Wezel said. "This not only reduces the systemic risk of a data breach, but also provides companies with the tools to manage consumer data in a centralized and transparent way."
It also paves the way for companies well-versed in data protection to move the bar even higher. Even though payments and financial services companies may not face major changes to privacy principles, their focus has to include helping clients and partners meet obligations and put together compliance frameworks.
“Nothing is more important to Visa than trust and security," Visa said in a prepared statement. "Safeguarding consumer data and ensuring trust are the cornerstones of our business."
Still, Visa is making enhancements and adjustments to its global privacy program to follow the framework GDPR provides. "We are also engaging with our financial institution clients and other players in the payment services ecosystem to ensure consistency and alignment,” Visa added.
Many companies are adjusting to the GDPR requirements through personnel changes and full inventory of data handling, including making sure that their vendors and partners are also GDPR compliant.
"Through GDPR readiness, we have appointed a data protection officer, completed an inventory of our processing activity records and revised our customer and partner contractual documents in order to ensure any required GDPR language is included," said Rob Grant, global acquiring risk leader for the payments processor Elavon.
Elavon is engaged in other GDPR processes, including training for employees and "awareness across the business," Grant added. "We are prepared and ready to meet the May deadline, and have implemented several changes across our business in Europe to meet the deadline and requirements."
Ultimately, GDPR, which was originally drafted in 2012 and is finally being implemented this year, is delivering a significant request for companies across the globe.
"They are asking all of the companies in the chain of the digital world to be more accountable," Mastercard's Stonier said. "It will take some time for all companies to be ready for that."
Making it even more demanding, Stonier said, is the fast pace of technology.
"The world has moved on since GDPR's first drafts," she added. "As a law, like all laws, GDPR sets a baseline for an area of the world in data use and innovation that we know instinctively is going to keep on moving forward."