GDPR - What Merchants Need to Know

GDPR - What Merchants Need to Know
Brian Gaynor J.P. Morgan Executive Director for Product Solutions
Jun 7, 2018

By now most organizations have heard of the European Union’s (EU’s) General Data Protection Regulation (GDPR), which came into force in May 2018. The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. Businesses across the EU (or who have dealings with EU companies) have been working hard to change their practices and get GDPR compliant. Merchants, who frequently come into contact with sensitive customer information like payment details, have to be especially prepared as GDPR has the potential to affect many areas of their businesses. 

 For the first time, obligations are placed on data controllers and data processors. In other words, legislation affects not just an organization (the controller) but also its outsourcing provider (a cloud or a third-party payment provider). Previous legislation placed responsibility solely on the controller.
At the heart of GDPR are a number of changes to the way that customer data is handled. 
For example, companies can no longer store a customer’s personal data simply because it may prove useful in the future. Instead the responsibility will be on businesses to justify why they’re retaining customer information, otherwise it may have to be erased. And, for the first time, there’s also a ‘right to be forgotten’. GDPR makes no distinction between physical and digital data: it could be customer details held in a database or on paper, which would now have to be made available in the event of a consumer request.

Under the regulation, firms can face significant fines.  GDPR also allows individuals to make a claim for damages for non-financial loss. Merchants and third-party payment providers are frequent targets for attacks by cyber-criminals, so they will have to ensure especially tight protocols to prevent this. 

GDPR shouldn’t just be thought of as a burden: the organizational changes will mean greater transparency and will also offer more security for customers. Companies that are diligent in implementing these changes may also find they will be trusted more by their customers. By prioritizing data security, they are demonstrating a willingness to put customer concerns first, which could result in reputational benefits, especially if the provisions they implement go beyond what is required by law. In short, implementing GDPR means major changes, but it should benefit businesses and customers alike.

Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland.

The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorized by Chase Paymentech Europe Limited.      

© 2018, JPMorgan Chase & Co. All rights reserved.

The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.