GDPR: Origin and impacts on payment
The General Data Protection Regulation was applied on May 25, 2018 and is one of the fundamental principles of data security, especially in the digital sector. This document has several objectives: to strengthen regulation by rallying the data protection authorities, to revalorize the rights of individuals in terms of protecting their data and finally, to make all actors who may process this data in the course of their activity accountable.
Source : Données-RGPD
Where does the need for an GDPR come from?
The GDPR is of course not the first document put in place to protect the private data of the population. It is inspired and even largely derived from a French law applied on January 6, 1978 aiming first of all at countering the filing of data based on the social security number.
It is only a few years later that the Minitel and the first computers began to appear, bringing with them their share of concerns and uncertainty concerning the protection of their users’ data. The fact that the circulation of data became international at that time, pushed the countries concerned to establish common rules to control this circulation.
All these reflections have allowed the European Union to publish and apply the GDPR that we know today: inevitable and to be respected by all companies. A long-distance arm-wrestling match is therefore unconsciously taking place between Europe and the United States, with large American companies such as Google having to comply with this regulation on European territory.
Its implementation was quick: almost every website you visit will indicate your data protection options at the bottom of the page. The Internet user can check off what he wants to share or not, and can count on the CNIL’s surveillance to ensure that the visited site respects its commitments in terms of private data protection.
Another element that reinforces the relevance of this GDPR is the rapid evolution of payment methods and the appearance of new ones. The latter require particular attention regarding the security of the data involved in the financial processes.
GDPR and payment security
The GDPR has indeed a very important role to play in the payment industry due to the sensitivity of the information involved in this sector.
Let’s take the example of e-payment by bank card. This means of payment, which is increasingly used by consumers, logically required a framework adapted to its development. During an online purchase, the e-merchant will temporarily have access to the cardholder’s card data: the card number, its cryptogram and its expiration date. One of the roles of the GDPR, and even more so of the CNIL, is to ensure that this data is not kept by the e-merchant once the purchase is validated.
The only case where this data can be kept is if the cardholder has given his consent to the merchant, for example in the context of subsequent or recurring purchases from the same e-merchant. The CNIL encourages merchants to include a clear option for cardholders to withdraw their consent at no additional cost.
Source : CNIL
The example of subscriptions comes to the forefront in this case, since it shows a willingness on the part of the customer to make a medium or long-term commitment to the merchant. The e-merchants have the possibility in this case to keep the user’s data under certain conditions:
- To be 100% transparent and clear about the retention of the bearer’s data in the specific context of the subscription.
- To allow the holder to easily reconsider his decision and thus force e-tailers to delete the data previously collected.
- To give the holder the right to object via a checkbox or a clear box.
- To have strong security measures regarding the storage of this data.
The conservation of data is therefore very closely supervised. In no case would one-time purchases justify this conservation, and it remains exceptional in the case of subscriptions and subscriptions.
The CNIL also advises consumers to be informed and to remain vigilant when sharing or storing their banking information. Keeping your banking information on a notepad of your smartphone, for example, is a risk you are taking, as your smartphone is not a medium designed to fully ensure the security of your payment data.
It also encourages the use of more secure means of authentication, such as the biometrics we mentioned in the previous article. Indeed, it seems to be able to fit very well in the logic of the GDPR, its reliability in the identification of the bearers being the highest to date.
The GDPR is therefore a dense document influencing many sectors that depend on digital to conduct their business. Its impact in payment is undeniable and has changed the way consumers’ personal data is collected and managed, with the aim of protecting them as much as possible.