Cross-Border Payment Compliance: What to Know as GDPR Kicks Off
As GDPR launches today, Brent Crider illustrates the requirements for the regulation and how it impacts organizations processing cross-border payments. Vendors managing payroll or freelancer payouts enterprises must be extra vigilant about GDPR compliance, as they store a wealth of personally identifiable information that accompanies such payment types.
On May 25, the EU’s General Data Protection Regulation (GDPR) will radically alter the cross-border payments landscape. The mandate has vast and sweeping compliance implications affecting how global financial institutions process and move data across borders, including data attached to capital transactions. The scale of this impact is compounded further by directives to give consumers more power and control over how their information is stored and protected at organizations.
Cross-border payment providers that help companies manage international transactions must adapt their service to these jurisdictional changes around data security, both for themselves and as a watchdog for their clients. GDPR requires thorough reviews of providers’ data protection management systems and clients’ territorial scope, not to mention the rollout of new privacy policies and the appointment of a Data Protection Officer.
What are the requirements of GDPR?
GDPR’s application to European citizens’ personal data, regardless of which jurisdiction the company operates in (e.g. in the U.S.), demands extensive research into how effective compliance is maintained when transacting between different territories.
Under the regulation, consumers must provide explicit consent for companies to hold, process, and retain their personal information. This includes, but is not limited to, protection from unauthorized or unlawful processing, accidental loss, or damage. GDPR’s provisions also introduce the concept of ‘data transferability,’ which gives clients the right to receive their personal data on-request.
Vendors that manage payroll or freelancer payouts for their enterprise clients must be particularly vigilant about GDPR compliance, given the wealth of personally identifiable information that accompanies these types of payment. Human resources and payments professionals who process employee salaries manage sensitive details, including Social Security numbers, bank account numbers, addresses, phone numbers, and other tax information.
Not only do cross-border payment service providers need to familiarize themselves with the nuances of GDPR for their clients’ protection, they must evaluate their own compliance capabilities as well. Under the new directive controllers and processors are both learning that they are not exempt from GDPR enforcement. What remains up for debate, however, is the correct preparation process for this unprecedented regulatory change.
As enterprises with cross-border payment elements fine-tune their operations with GDPR’s May 25 start date in mind, here are the top most pressing areas that compliance officers with cross-border payments accountability must prioritize, to ensure they have laid the best foundation for a new era of empowered consumers and privacy management.
Communication across departments
GDPR’s 72-hour window for reporting breaches of enterprise data has drastically altered the timelines that companies with European Union interests previously adhered to. Additionally, reporting now requires more specific details about the breach to characterize its impact. In addition to alerting designated authorities, firms are must also notify affected customers as quickly as possible when clients’ rights and freedoms are at potential high-risk. This demands a fresh approach to how information is shared, with external partners and in the organization itself. For companies and professionals in the cross-border payments field, this overhaul grows as new jurisdictions, regional regulations, and international partners complicate the flow of information and magnify the need for efficient communication.
Legal, Compliance, Operations, Information Technology, and Information Security teams must work in tandem to ensure they efficiently meet all regulatory obligations detailed in GDPR, without compromising on business performance. The best format for this alliance will adopt elements from crisis response teams, law enforcement, and even the military. The key elements worth extracting from these groups include: a reporting group email, organized process documents that detail how information will be shared, and the assignment of specific roles and responsibilities to create a decision-making hierarchy to meet reporting requirements. Applying these features will strengthen a company’s ability to observe, orient, decide, and act in swift fashion to meet obligations.
Identifying the talent and technologies that enable adaptation
To ensure GDPR compliance, cross-border payment firms must hire a Data Protection Officer with experience to orchestrate and assemble cross-enterprise committees in a timely fashion and to minimize risk of exposure. Within these groups, the Data Protection Officer must recognize and apply the unique qualifications and knowledge sets that help organizations interpret data protection laws, manage data from across the enterprise, identify the operational and infrastructure changes needed to mitigate liability, as well as ensure that this epic mandate does not compromise daily performance or revenue streams.
The appointed officer must also be provided with adequate resources, such as the ability to visualize data storage across an enterprise or encrypt information as it moves between parties. He or she should also seek out the authority to report directly to the highest level of management. These skills and resources may be provided by a contractor or an employee, as long as the individual does not hold any additional responsibilities that may conflict with the DPO’s duties. Needless to say, the times of siloed compliance departments ‘bolting on’ to an organization are behind us. Through people and technology, compliance must now become a strategic priority to preserve a company’s financial well-being.
Applying proactive risk assessment
Reaction alone will not suffice under these new rules, so companies must now prioritize getting ahead of their liabilities. Regular, preemptive risk analysis and the internal review of information alongside IT and security team are required in this new realm of proactive compliance. For example, planning ahead of time to research, vet and hire an independent reviewer with broader referential experience than those inside the company’s wall can bring a fresh perspective that can point out areas of vulnerability within operations before things go awry. Considering that GDPR’s predecessor, the Data Protection Directive, dates back to 1995 and that a plethora of new technology has entered the enterprise space since then, identifying these flaws can be a monumental task. Onboarding external partners for finance, technology, and transaction monitoring reviews may also be required.
Adding to these new processes, an overhaul of existing practices is also key. The antiquated ‘tick-box’ or disclosure statements we see so often today must now reflect active acknowledgement by the customer. Meanwhile, contracts must be updated to reflect how information is stored and processed under a new regime, as well as confirm how firms sharing data will secure it in transit, especially as organizations make cross-border payments with accompanying payer/payee datasets.
Understanding ‘Right to Be Forgotten’
Over time, organizations may hold onto older data and personal data from customers. Under GDPR, customers now have the right to request the “erasure” of their personal data from an organization’s database – whether it’s a protected ID number or a simple email address, the organization is required to fulfil the request and delete the data. For organizations that leverage archived data for business intelligence, such as how recipients prefer to receive payment from overseas, this is no easy process. Legacy archives, scattered backup stores, and patchwork systems resulting from years of expansion, mergers and consolidation fuel the daunting task of retroactively mapping data.
If there’s any hesitation among colleague about whether certain datasets should be removed, it’s important to recognize that most cases over this right end in the data subject’s favor. At the same time, understanding the exceptions for ‘Right to Be Forgotten’ can help a compliance professional allocate their resources more effectively. For example, historical or scientific research, or employee work checks required for audit purposes, may not require deletion of data. For companies that exchange data with partners around the world especially, every ounce of compliance bandwidth that can be salvaged if valuable.
While there’s no denying the value of a growing globalized economy, catalyzed by rapid advances in enterprise and communications technology, the prospect of managing cross-border payments data among a large volume of stakeholders in the context of GDPR is a daunting one. Amid instability and frantic preparation however, establishing a basis of improved communication, designated roles, robust technology, and preventative action gives compliance professionals the best footing possible to meet and exceed these great expectations.