No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Cross-Border Payment Compliance: What to Know as GDPR Kicks Off

by Brent Crider
May 25, 2018
in Compliance, Featured
GDPR

Cross-Border Payment Compliance: What to Know as GDPR Kicks Off

As GDPR launches today, Brent Crider illustrates the requirements for the regulation and how it impacts organizations processing cross-border payments. Vendors managing payroll or freelancer payouts enterprises must be extra vigilant about GDPR compliance, as they store a wealth of personally identifiable information that accompanies such payment types.

On May 25, the EU’s General Data Protection Regulation (GDPR) will radically alter the cross-border payments landscape. The mandate has vast and sweeping compliance implications affecting how global financial institutions process and move data across borders, including data attached to capital transactions. The scale of this impact is compounded further by directives to give consumers more power and control over how their information is stored and protected at organizations.

Cross-border payment providers that help companies manage international transactions must adapt their service to these jurisdictional changes around data security, both for themselves and as a watchdog for their clients. GDPR requires thorough reviews of providers’ data protection management systems and clients’ territorial scope, not to mention the rollout of new privacy policies and the appointment of a Data Protection Officer.

What are the requirements of GDPR?

GDPR’s application to European citizens’ personal data, regardless of which jurisdiction the company operates in (e.g. in the U.S.), demands extensive research into how effective compliance is maintained when transacting between different territories.

Under the regulation, consumers must provide explicit consent for companies to hold, process, and retain their personal information. This includes, but is not limited to, protection from unauthorized or unlawful processing, accidental loss, or damage. GDPR’s provisions also introduce the concept of ‘data transferability,’ which gives clients the right to receive their personal data on-request.

Vendors that manage payroll or freelancer payouts for their enterprise clients must be particularly vigilant about GDPR compliance, given the wealth of personally identifiable information that accompanies these types of payment. Human resources and payments professionals who process employee salaries manage sensitive details, including Social Security numbers, bank account numbers, addresses, phone numbers, and other tax information.

Not only do cross-border payment service providers need to familiarize themselves with the nuances of GDPR for their clients’ protection, they must evaluate their own compliance capabilities as well. Under the new directive controllers and processors are both learning that they are not exempt from GDPR enforcement. What remains up for debate, however, is the correct preparation process for this unprecedented regulatory change.

As enterprises with cross-border payment elements fine-tune their operations with GDPR’s May 25 start date in mind, here are the top most pressing areas that compliance officers with cross-border payments accountability must prioritize, to ensure they have laid the best foundation for a new era of empowered consumers and privacy management.

Communication across departments

GDPR’s 72-hour window for reporting breaches of enterprise data has drastically altered the timelines that companies with European Union interests previously adhered to. Additionally, reporting now requires more specific details about the breach to characterize its impact. In addition to alerting designated authorities, firms are must also notify affected customers as quickly as possible when clients’ rights and freedoms are at potential high-risk. This demands a fresh approach to how information is shared, with external partners and in the organization itself. For companies and professionals in the cross-border payments field, this overhaul grows as new jurisdictions, regional regulations, and international partners complicate the flow of information and magnify the need for efficient communication.

Legal, Compliance, Operations, Information Technology, and Information Security teams must work in tandem to ensure they efficiently meet all regulatory obligations detailed in GDPR, without compromising on business performance. The best format for this alliance will adopt elements from crisis response teams, law enforcement, and even the military. The key elements worth extracting from these groups include: a reporting group email, organized process documents that detail how information will be shared, and the assignment of specific roles and responsibilities to create a decision-making hierarchy to meet reporting requirements. Applying these features will strengthen a company’s ability to observe, orient, decide, and act in swift fashion to meet obligations.

Identifying the talent and technologies that enable adaptation

To ensure GDPR compliance, cross-border payment firms must hire a Data Protection Officer with experience to orchestrate and assemble cross-enterprise committees in a timely fashion and to minimize risk of exposure. Within these groups, the Data Protection Officer must recognize and apply the unique qualifications and knowledge sets that help organizations interpret data protection laws, manage data from across the enterprise, identify the operational and infrastructure changes needed to mitigate liability, as well as ensure that this epic mandate does not compromise daily performance or revenue streams.

The appointed officer must also be provided with adequate resources, such as the ability to visualize data storage across an enterprise or encrypt information as it moves between parties. He or she should also seek out the authority to report directly to the highest level of management. These skills and resources may be provided by a contractor or an employee, as long as the individual does not hold any additional responsibilities that may conflict with the DPO’s duties. Needless to say, the times of siloed compliance departments ‘bolting on’ to an organization are behind us. Through people and technology, compliance must now become a strategic priority to preserve a company’s financial well-being.

Applying proactive risk assessment

Reaction alone will not suffice under these new rules, so companies must now prioritize getting ahead of their liabilities. Regular, preemptive risk analysis and the internal review of information alongside IT and security team are required in this new realm of proactive compliance. For example, planning ahead of time to research, vet and hire an independent reviewer with broader referential experience than those inside the company’s wall can bring a fresh perspective that can point out areas of vulnerability within operations before things go awry. Considering that GDPR’s predecessor, the Data Protection Directive, dates back to 1995 and that a plethora of new technology has entered the enterprise space since then, identifying these flaws can be a monumental task. Onboarding external partners for finance, technology, and transaction monitoring reviews may also be required.

Adding to these new processes, an overhaul of existing practices is also key. The antiquated ‘tick-box’ or disclosure statements we see so often today must now reflect active acknowledgement by the customer. Meanwhile, contracts must be updated to reflect how information is stored and processed under a new regime, as well as confirm how firms sharing data will secure it in transit, especially as organizations make cross-border payments with accompanying payer/payee datasets.

Understanding ‘Right to Be Forgotten’

Over time, organizations may hold onto older data and personal data from customers. Under GDPR, customers now have the right to request the “erasure” of their personal data from an organization’s database – whether it’s a protected ID number or a simple email address, the organization is required to fulfil the request and delete the data. For organizations that leverage archived data for business intelligence, such as how recipients prefer to receive payment from overseas, this is no easy process. Legacy archives, scattered backup stores, and patchwork systems resulting from years of expansion, mergers and consolidation fuel the daunting task of retroactively mapping data.

If there’s any hesitation among colleague about whether certain datasets should be removed, it’s important to recognize that most cases over this right end in the data subject’s favor. At the same time, understanding the exceptions for ‘Right to Be Forgotten’ can help a compliance professional allocate their resources more effectively. For example, historical or scientific research, or employee work checks required for audit purposes, may not require deletion of data. For companies that exchange data with partners around the world especially, every ounce of compliance bandwidth that can be salvaged if valuable.

Conclusion

While there’s no denying the value of a growing globalized economy, catalyzed by rapid advances in enterprise and communications technology, the prospect of managing cross-border payments data among a large volume of stakeholders in the context of GDPR is a daunting one. Amid instability and frantic preparation however, establishing a basis of improved communication, designated roles, robust technology, and preventative action gives compliance professionals the best footing possible to meet and exceed these great expectations.


Tags: GDPR
Previous Post

Contracts Are a Hidden Risk in GDPR Compliance

Next Post

Will Your Customers Invest in Your Strategy?

Brent Crider

Brent Crider

Brent Crider is the Director of Compliance for North America since September 2016. In this role, Brent is responsible for overseeing Compliance Anti-Money Laundering monitoring (AML), on-boarding and compliance reviews, and leads the global transformation for the technology project for AML monitoring and screening. He is a Certified Anti-Money Laundering Specialist (CAMs) certification.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
Memorial Day

Will Your Customers Invest in Your Strategy?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT