Protecting customer data and a person’s right to privacy has been a hot topic so far in 2018, with more and more companies enacting additional security measures and review processes to make sure information is handled correctly.

Whether it’s through enabling two-factor authentication or establishing stricter vendor onboarding, companies around the globe are taking the steps to gain and keep the trust of customers.

While many of these businesses are taking action based on security becoming a more ever-present concern, some companies have to change the way they do business in order to comply with a new European law.

U.S. companies with customers or employees in Europe will have to take additional steps to prove their data is protected when the European Union’s new data protection law goes into place in one week.

The E.U.’s General Data Protection Regulation (GDPR) goes into effect May 25, requiring companies to conduct regular assessments of their own compliance. The new law puts more responsibility on companies with E.U. operations to make sure all of their systems – and their partner company systems – are secure.

If something goes wrong, a company has to prove it took the necessary steps to protect data and meet regulations. If a company can’t prove compliance, they could face a €20 million fine or 4 percent of the company’s global revenue, whichever is higher.

Although the law directly applies to companies in the European Union, any business that does business in the E.U. or has E.U. resident customers also has to prepare for the law.

What are the main elements of GDPR?

GDPR gives customers more control over their personal data and what companies can do with their data.

This starts with companies being up-front about the information they are collecting. GDPR requires all data subjects to be informed with transparent information. Customers give their consent for their information to be processed for specific activities. For example, consumers must opt into their email address being used for company email marketing lists.

The data must be used only for the purpose it was given and kept for no longer than necessary. In the process of collecting that information, companies must not collect data that is not required. Once the data is collected, it must be protected and kept up to date.

Consumers also must be able to easily withdraw consent of their data being used – at least as easily as they are able to give consent.

The consent given must be opted-into by the customer. Many companies have pre-ticked boxes for marketing materials and data consent. These are no longer an option under GDPR for businesses doing business in the E.U.

What rights do data subjects have?

Data subjects, or living persons whose personal data is being processed – clients, consumers, or employees, have more rights under GDPR.

We already mentioned that companies must be transparent under GDRP as to how data is being used, but that also means telling individuals which third parties receive their information. Companies can help reach this goal with a publicly accessible privacy policy.

Individuals can also ask for their own data and how it is being used. Companies must provide them the data free of charge within 30 days in a readable format.

Individuals can also ask for their information to be deleted. If the individual is a current customer and the company needs the information to fulfill a contract or certain legal regulations, this may not be applicable.

Individuals can ask a company to stop processing their data. In this case, companies would still be allowed to store the data, but not use it.

Along with the element of GDPR of keeping information up to date, individuals can ask for their information to be corrected and companies must comply.

Evaluating third-party relationships

Just like how the GDPR law extends to non E.U. companies that process E.U. resident data, the law also extends to third parties of any of those companies.

It is important for companies to know that their partners are compliant, otherwise they can be held accountable. Companies with operations in the E.U. might want to review relationships with the vendors they pass customer data to and review security protocols.

The rights of data subjects also extends to these third party companies if they have customer data.

As a company with a global headquarters in the U.K. and operations across Europe and globally, WorldFirst is taking the steps necessary to be GDPR compliant by next week’s deadline.

WorldFirst has long prided itself in keeping customer information secure. As an international payments company, we handle sensitive financial information daily, so we already work within the highly regulated financial services sector framework in the United States and where we operate globally.

Companies, individuals and ecommerce sellers that use WorldFirst services to transfer money internationally can rest assured that GDPR compliance is a top priority at WorldFirst.