What is the GDPR?
Implemented on May 25, 2018, the General Data Protection Regulation (GDPR) is an EU law designed to provide additional protection for personal data, regulate how companies use collected data, and users’ right to privacy. The GDPR applies to all personal data that is handled within the borders of the EU – or relates to individuals in EU – regardless of where the organisation handling the data is located. The GDPR is the most important change in data privacy regulation in 20 years.
The DPO Group is always determined to keep up with the highest level of security and standards to protect our merchants and their customers. DPO processes payments from customers all across the globe hence the requirement for us to be GDPR compliant.
Personal data includes any information related to a person who may be identified – directly or indirectly – by reference from the contents. It is a very broad definition and allows for a range of personal identifiers to be included, such as name, identification number, location data, or online IDs.
GDPR is a set of rules which apply to the processing of this personal data. Processing includes collection, structuring, adaptation or alteration, organization, recording, retrieval, consultation, use, disclosure or making available, restriction, destruction or erasure. Essentially, any process that stores, accesses, or references personal data is considered processing.
GDPR defines three roles in the processing of personal data:
Data subject – the consumer
Data controller – the merchant, or recipient of the data
Data processor – a third party processor directed by the controller
The data controller is responsible for the relationship and communication with the data subject. Even in the cases that a third party processor is involved, the controller is still responsible for determining the objective and legal basis of the processing of the subject’s data.
Per GDPR, DPO is both controller and processor: a customer inputs their personal details (name, address, credit card details) into the merchant system via the DPO API. DPO then uses the information to complete the transaction between our system, and that of the associated credit bureau or bank.
Security of Personal Data
Data received by DPO is kept protected and secure, in line with PCI-DSS Level 1 compliance standards. DPO is also striving for additional security standards, and will obtain ISO 27001 compliance as well. Personal information is recorded in line with data protection impact assessment and data inventory policies, which are reviewed annually at minimum.
If there should be a compromise of personal data and the breach is likely to risk the data subject’s rights, the controller must communicate clearly in a reasonable amount of time. The controller also carries the right to request further information if there is lack of clarity or potential for fraud.
Data Protection Officer