Under the 1950 European Convention on Human Rights (ECHR), largely drafted by British civil servants, a right to privacy was conferred on all citizens of Europe.
Although it pre-dates and is independent of the EU, the ECHR is the basis of the EU's attempts to maintain the privacy of the individual as technology and the internet have developed. The provisions of the 1995 European Data Protection Directive were quickly outstripped by progress and the GDPR was passed by the European Parliament in 2016 and came into effect in 2018.
Does the GDPR apply in the UK?
But the UK has left the EU hasn't it? That's true, but the effect of the GDPR is to impose the same obligations on any business or organisation that targets, transacts with or collects data related to EU citizens. There are no exceptions and contravention can attract severe penalties running into tens of millions of euros, as Google and H&M among others can painfully testify. Individual victims of violations may also seek compensation in damages.
The GDPR is the strongest privacy law ever enacted anywhere in the world. Its effect is sometimes nicknamed 'the right to erasure' because an individual can request any organisation to cease the processing or distribution of their data and remove it from its storage systems. This applies if there is no compelling reason for their data to be retained.
There is an important distinction to make between the GDPR and the PCI-DSS because the latter was designed specifically for the protection and security of Mail Order and Telephone Order (MOTO) payments whereas GDPR has a more general application to personal data of all kinds.
These data are defined as including names and email addresses as well as location information, ethnicity, gender, religion, web cookies and even political opinions. Data processing includes the storage of this information but also includes collecting, organising and even erasing. In practice, anything a business might do with a customer's information is caught by the GDPR.
When it comes to data processing, this must be lawful, fair, transparent and limited to the purposes for which the subject originally consented, with no more than the absolute minimum to be stored. The data must be kept accurate and up to date, for only as long as its legitimate purpose lasts, and in a secure system, ideally using encryption. The business must be able to demonstrate its compliance if investigated.
That last point on demonstrability needs to be emphasised: if you can't show you are compliant then you are judged not to be. An organisation needs to assign data protection responsibilities, maintain documentary records, train staff, execute data processing agreements with third parties and appoint a Data Protection Officer to monitor the entire compliance process.
Does the GDPR Apply to Me?
Although the headline stories about data breaches focus on internationally known brands who have fallen foul of the GDPR, small and medium sized enterprises are not below its radar. It's certainly true that the regulation treats some SMEs slightly differently. For example a business with fewer than 250 employees is not obliged to keep records of its processing activities unless specific conditions apply: including the potential for risk to the rights and freedoms of subjects and data relating to criminal offences. But while some of the responsibilities may be less onerous, in general the GDPR will always apply.
If your business takes payments over the phone then by default you are collecting, using and probably storing data that falls under the regulation. This is not just limited to credit card numbers but includes contact details, addresses and any other information gathered in the process. Putting in place GDPR compliant systems would be a nightmare. However, because Paytia's Secure Virtual Terminal is fully GDPR compliant it can do the hard work for you. Collecting payments while complying with the law couldn't be simpler.