OK, so we all know that from May 25th 2018 the new General Data Protection Regulation (GDPR) comes into effect and that there will be significant legal changes relating to how organisations can use and store personal data.
Currently, reports and articles seem to appear on this topic daily and companies start to understand the urge to act.
What’s most important?
The key GDPR topics that organisations should be aware of are:
- Appointment of a Data Protection Officer
- The 72-hour data breach notification
- The potential fines based upon each organisation’s annual turnover
- The extraterritorial scope when non-EU companies process EU personal data
- Broader data subject rights (data portability).
Enough has been published about these topics so far. But there is more what no one seems to talk about, which might even be even more important than the key topics listed!
Essentials for payment companies
There are also a number of topics that are particularly relevant to payment companies.
Let’s start by looking at the difference between data controller and data processor.
This distinction defines the extent of a party’s GDPR legal obligations.
Controller versus Processor
Many individuals consider themselves to be a processor, but they have decided this without obtaining legal advice.
The definitions have not changed much under GDPR and ‘controller’ is the person who determines the ‘purposes and means’ of the processing of personal data.
This organisation therefore decides which data to collect, how it is used and with whom it is shared.
A ‘processor’ is the person who processes the personal data on behalf of the controller.
They are the people therefore, who use it for a purpose as determined by the controller.
Which role a company in the payment chain holds, determines to what extent it must comply with GDPR and to what extent it can be held liable (by law) for any failure. It is therefore a very important assessment for payment companies to make.
Clarity is needed
At this stage I am not sure if and when we can expect to see more specific guidelines on these roles from Europe or the Article 29 Data Protection Working Party (WP29) who frequently write opinions and guidance notes.
All we can currently do is relate our understanding to WP29’s Opinion of February 2010 (“2010 Opinion”) and also the WP29’s opinion on processing by SWIFT (“SWIFT Opinion”).
Here are the links:
SWIFT case study – Don’t make any assumptions too quickly!
The key issue lies in defining the extent to which a controller has responsibility for and freedom to determine the overall processing activities. SWIFT considered itself to be a processor.
The SWIFT example highlights a number of responsibilities that the organisation had taken up with regard to its processing operations, which were determined by WP29 as going, ‘…beyond the set of instructions and duties incumbent on a processor and cannot be considered compatible with its claim to be just a processor.” They are for instance the ability to:
- Decide autonomously on the level of information provided to financial institutions in relation to the processing
- Determine the purposes and means by developing, marketing and changing the existing or new SWIFT services and processing of data. For example, by determining standards applicable to its clients as to the form and content of payment orders, without requiring the consent of the financial institutions
- Provide added value for processing such as the storage and validation of personal data and the protection of personal data with a high security standard
- Take critical decisions with respect to the processing such as the security standard and the location of its operation centres
- Negotiate and terminate with full autonomy its services agreements and also draft and change its various contractual documents and policies.
Scarily enough, these factors would apply to many payment companies as they often have the ability to choose the composition of the portfolio of services used (services are developed and changed and value added services are supplied increasingly to stay ahead of competition and to bind existing customers).
They also have the ability to develop the software used to supply the services and make critical decisions, beyond the sole acceptance of instructions from the controller.
Also included is the ability to impose additional requirements on merchants by means of its software without the merchants’ consent.
Is it not the case that almost every payment processing company have these powers?
Any self-assessed processor should therefore pay close attention!
2010 Opinion guidance
The 2010 Opinion seeks to provide further guidance and it is up to you to determine if it is more hopeful for payment processing companies or if it gets even worse after the crushing SWIFT Opinion.
As explained in the 2010 Opinion, the discretion of a controller over determining the purpose are characterized (by the WP29) as the ability to have level of influence and margin of manoeuvre.
If for instance a controller provides to a processor detailed instructions, the margin of manoeuvre by the processor is little.
A party that monitors another party’s performance and compliance with the contract (and any required technical and organisational measures) may also be helpful in the determination of the first party, as the controller and by the second as processor.
It indicates that the controller is in full control of the processing activities.
However, these points alone may not be solely relied upon. This is because there are often situations in the payments industry where a processor exceeds the mandate given by a controller and actually plays a role in determining the purposes for which the data is processed.
Added value services are key to market players as the payment landscape and the payment chain continues to fragmentize.
However, these add-on services may prove a party’s assumption of it being a processor wrong.
The 2010 Opinion provides various examples on companies processing data and the determination of their roles, including where financial transactions are processed (example 10).
A bank uses a financial messages carrier in order to carry out financial transactions. Both the bank and the carrier agree about the means of processing where the processing is carried out at a first stage by the financial institution and only at a later stage by the carrier.
The WP29 continues, “However, even if at micro level each of these subjects pursues its own purpose, at macro level the different phases and purposes and means of the processing are closely linked.”
The final verdict is, “In this case, both the bank and the message carrier can be considered as joint controllers.”
Applying this example on an analogue basis to the entire payment industry, where PSPs and Acquirers are the bank and other service providers (of for instance a payment processing platform or other solutions) are the financial messages carrier, I wonder whether there would be any party in the chain that could rightfully claim to only being a processor.
Current state of affairs
Too many market players consider themselves a processor.
No party assuming the controller role will have a tremendous impact upon the GDPR implementation and effect.
In order to establish the anticipated goals of the GDPR (of increased consumer protection) in today’s world where data breaches occur often and personal data is seen as the new gold, the two role concepts might not work anymore.
The fragmentation of the payment landscape also makes the distinction less relevant.
It might be an idea to restart the discussions (which were first started after the WP29’s SWIFT opinion but stopped by WP29 with its 2010 Opinion) on abandoning the controller/processor distinction and replacing it with the two more pragmatic concepts of, ‘responsible person’ and ‘processing service provider’.
At least, it is about time WP29 issues a more recent opinion while taking note of the evolved processing landscape over the years, and also in light of the new GDPR and its changing position to become the European Data Protection Board pursuant to the new regulation.
It would be interesting to see if its position has changed from the SWIFT and 2010 Opinion.
What should you do now?
In the meantime, even before you implement a GDPR compliance action plan, it’s a good idea to make sure that you analyse and process all your processing activities and how they are designed.
Is also a good idea to review your position in comparison with the companies you currently receive data from or send it to.
Don’t assume that, because this is done at the start of the relationship, you are covered. As relationships evolve, facts may change.
Keep an eye out for future posts
Watch this space also, because I will be posting future updates on GDPR legislation as soon as I have access to them.