As a new financial dawn for many UK businesses breaks, the mists of confusion over the EU’s General Data Protection Regulation (GDPR) have at last started to clear, giving long-needed clarity and direction to business leaders over what needs to be done and by when. There are just two years to become fully GDPR compliant, and that’s not a lot of time for such a wide-reaching regulation.
In the current climate, one could be forgiven for seeing the past three years of discussion and consultation as another example of EU bureaucracy and meddling. To do that, though, would trivialise and miss the real point of the GDPR and also vastly underestimate the complexity of what a single regulation has to cope with.
With ever increasing amounts of data flowing across ever blurring geographical boundaries, the question of how to harmonise and protect EU consumers’ personal data across the community, and beyond, has been both difficult and increasingly important. This is, after all, a regulation that is there to protect ourselves as consumers!
So what does the GDPR really mean for businesses that sell goods or services to consumers in the EU?
To start with, it is best to look at the GDPR from the outside-in, from the consumer to the business. If the consumer is an EU citizen, compliance with the GDPR will apply regardless of where the business supplying the goods or services is based or headquartered. In practice, this means that even a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.
It’s worth saying at this point that compliance with the GDPR cannot ever completely eradicate the loss of sensitive personal data by an organisation. Card fraud and cybercrime are on the increase, and methods of attack, especially where obtaining payment card information is the objective, have become much more sophisticated and difficult to defend against.
The GDPR brings to the statute books real obligations to businesses in terms of protecting consumer data and also how quickly a company must publicise any breach that it has – within 72 hours of it occurring. Failure to do so can result in a fine of up to 4% of annual worldwide turnover, a startling amount that has got a lot of attention with senior business leaders and board-level executives. This fine is in addition to any other penalties that would be levied on businesses by organisations such as those within the payment card industry. These charges are typically brought to replace compromised credit or debit cards. Add to all of this the significant financial losses of reduced customer loyalty and overall brand damage, and the risks associated with processing such essentials as card payments from EU consumers are now substantial. Research completed and published in the 2015 Cost of Data Breach Study by the Ponemon Institute shows an average cost of $3.79M per data breach. This is up 23% on the 2014 figure and that trend isn’t expected to reverse any time soon.
But why should I care?
Maybe the real challenge for businesses is in understanding and accepting the true costs and value of becoming compliant in budget and time terms. The reality on the ground is that there are currently very few organisations that can deliver the knowledge and skills required to get businesses to where they need to be, before the inevitable happens. This general lack of availability of resources is especially apparent in the Payment Card Industry Data Security Standards (PCI-DSS) space. With this in mind, the sensible approach is to engage as early as possible with those few specialists in the field.
We believe that the best way to protect organisations from losing sensitive data is to completely avoid being exposed to it in the first place. All you need to know is that you got paid, not the full details of the payment.
How can we help?
Our patent-pending solution delivers this by intercepting and processing sensitive customer data such as their card details, before it enters your organisation. If a data breach does occur in your company when you’re using our solution, card details are never recorded and therefore risk to the business, brand, reputation and its customers is minimised. This approach also ensures compliance with PCI-DSS regulations.
Where we differentiate ourselves over competitors in the compliance space is by offering our hosted solution as truly carrier independent. Our clients don’t need to lock themselves into a multi-year calls and lines deal with a single provider for all locations, as some PCI vendors force their customers to. Additionally, as we are a provider of complete business solutions across voice, contact centre, network, professional services and applications, we truly understand the customer journey and can offer not only MOTO transaction protection but also all of the other essential security solutions, such as 2-factor authentication, that assist in aligning with the GDPR.
The GDPR is coming and a quick start, along with engagement of specialist resources in the field, will underpin your success. The last thought I’ll leave you with is this – the organisations that show early leadership by investing in protecting their customers’ data will be the businesses that thrive – it can be a differentiator to promote yourselves above the competition Value your customers’ data and they will value you…
Learn how to deliver improved customer and agent experience. www.ipintegration.com