What Effect Did the General Data Protection Regulation — or GDPR — Really Have on Merchant Operations?
The General Data Protection Regulation, commonly abbreviated as the GDPR, was one of the first global data protection policies. Officials claimed these regulations would “strengthen and unify data protection for individuals within the European Union.” That was before implementation back in 2018, though.
Did the initiative really deliver on that promise? What more could be done?
In order to fully grasp the benefits and pitfalls of GDPR, we should reexamine what it is, its intended purpose, and the unintended problems it might have introduced to the global market.
Recommended reading
- Chargeback Laws: What's the Legal Basis for Card Disputes?
- American Express Chargeback Time Limits: The 2024 Guide
- Chargeback Time Limits: the Merchant's Guide for 2024
- Explaining Section 75 of the Consumer Credit Act
- What is the Restore Online Shoppers' Confidence Act?
- Discover Chargeback Time Limits: The 2024 Guide
When Did GDPR Go Into Effect? Who Does it Apply to?
The General Data Protection Regulation is a regulation in data protection and privacy regulation implemented as part of EU law on May 25, 2018.
The GDPR applies throughout the European Union and the European Economic Area. The ruleset is an important component of EU privacy law and human rights law, particularly Article 8 of the Charter of Fundamental Rights of the European Union.
GDPR was revolutionary in the sense that it was the first effort to extend EU data protection laws to international businesses. Both local and international businesses that sell to EU customers were impacted by the regulation. Any company that controls or processes personal data of EU residents is subject to the law.
What Purpose Does GDPR Serve?
In short: the objective is simply to protect the privacy of consumers and keep their data safe.
Obviously, it’s not the intent of most businesses to use consumer data in a nefarious or irresponsible way. Regardless, the GDPR was implemented in response to consumer concerns about how businesses use and retain that data.
Those concerns weren’t unfounded. 88% of UK companies suffered breaches between 2019 and 2020. The figure rose to 90% in Italy, 92% in Germany, and a whopping 94% in France, the concern is definitely warranted. Indeed, according to international insurance group Hiscox, one small business is successfully hacked in the UK every nine seconds.
The purpose of GDPR was to increase and mandate consumer protections in the EU and abroad. The legislation broadened and diversified the definitions and utility of privacy terminology.
GDPR Affects Anyone Who Does Business in the EU
If you sell goods or services to anyone that resides within, or is a citizen of the EU, then GDPR applies to you. This is true regardless of your location. So, even tech companies in the US could be subject to the law if they might track, analyze, and market to EU citizens. So, the only way to opt-out of General Data Protection Regulation is to refuse to do business in the EU.
Businesses are required to procure and prove that they have invested in technology that will detect data breaches and allow for disclosure within 72 hours. Failure to comply with GDPR rules like this could be extremely costly.
An inability to establish this effective “privacy by design” structure will result in severe consequences. Fines of up to €20 million or 4% of annual worldwide turnover (whichever is greater) could be assessed.
Businesses must consistently demonstrate that they are doing more than complying with the letter of the law regarding GDPR rules. They must also actively innovate and implement new data solutions that protect consumers.
This doesn’t necessarily seem like a bad thing, at least from the outside. But, as most merchants will already know, it can become an expensive and time-consuming process.
Key Policy Changes Imposed by GDPR
As mentioned above, EU policymakers created GDPR regulations to standardize and improve consumer protections. It was also to broader consumer understanding of — and agency over — their own data.
The law redefined much of the terminology concerning the mining, storage, and processing of consumer information and privacy to achieve this goal. These changes include:
The 7 Principles of GDPR
Article 5.1-2 of the General Data Protection Regulation lays out the seven principles the GDPR aspires to address. These are as follows:
1 | Lawful, Fair, and Transparent
Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2 | Of Limited Purpose
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
3 | Data is Minimized
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4 | Accuracy
Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5 | Storage Limitation
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest; i.e. scientific or historical research purposes or statistical purposes in accordance with Article 89(1).This will be subject to the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
6 | Confidential Integrity
Personal data shall be processed in a manner that ensures appropriate security of the personal data. Examples include protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
7 | Accountability
Finally, the controller shall be responsible for, and be able to demonstrate compliance with, all the other principles outlined above.
These seven principles are meant to ensure that individuals have the right to refuse the use of their data for privacy purposes. They also have the right to restrict businesses from obtaining or using this information without consent.
Does GDPR Deliver on Expectations?
Love it or hate it, the General Data Protection Regulation did increase protections for EU consumers pretty much across the board. In this way, yes, it does deliver on its central promise.
From this standpoint, GDPR is an overwhelming success. It has elevated consumer trust and confidence, improved transparency between merchants and consumers, increased competition between companies, and helped mandate necessary fraud precautions that affect everyone.
Despite all of this, many merchants feel GDPR has fallen short of the marks. It has not streamlined regulation in their view; indeed, many merchants claim GDPR remains an infuriating, complex set of rules that fail to provide either benefit in any meaningful way.
According to Law.com, there are glaring enforcement disparities at the national level. These stem from gaps in resources, diverging enforcement traditions, and different interpretations and applications of the 80-page privacy bill.
In a further failure, EU-wide harmonization of the rules has also been an issue. The EU’s executive body simultaneously hails the bill as “an overall success” while admitting that “harmonized and consistent implementation and enforcement of the GDPR across the EU” fail to meet preferred benchmarks.
So, what’s the deal here? Does GDPR work, or not? The answer, much like the law itself, is dense and complicated.
Realities of GDPR
Naturally, when the General Data Protection Regulation came into play, every merchant from Florida to Singapore freaked out. Essentially, any business that has customers in the EU region believed the regulations would utterly hamstring their businesses.
They had no idea what compliance would require, how much it would cost, nor how non-compliance might affect them. Add to this a general chafing regarding their inability to opt-out regardless of their size or vertical, and you had a recipe for panic.
While inconvenient to some, the protections that the GDPR put in place are great for customers. Buyers are generally happy to spend money with companies who hold their best interests at heart. That said, there are a few downsides to GDPR that still affect many merchants today, especially here in the US, where the law is less forward-facing:
However a merchant feels about GDPR, there isn’t much wiggle room when it comes to following the compliance guidelines. Businesses that fail to comply with the rules are in for a rude awakening, as hefty fines and legal action are very real possibilities.
Take Control of Data Protections
GDPR increased, streamlined, and improved consumer data protections by holding merchants accountable for the data they collect and store. That can certainly be considered true for the consumers impacted by these laws. For merchants, though, the law often presents a further complex hurdle to regular business practices.
However you feel about the regulations, if you intend to do business in the EU, then the General Data Protection Regulation applies to you too. That said, the protections laid out in the GDPR shouldn’t come as a surprise by this point– and what’s more, they shouldn’t feel exclusionary to any business, either.
Even if you are not yet an international seller, it would be a good idea to stay one step ahead of the game by prepping your business for compliance in advance. The additional benefit to these preparations can also decrease your risk of fraud, increase consumer trust and loyalty, and ensure that your business is future-forward and prepared for any eventuality.
A few best practices include:
- Informing consumers about their right to data privacy.
- Being transparent about your data collection habits.
- Attaining consent from consumers to use said data.
- Providing consumers with the ability to opt-out of all data collection.
- Enhanced brand reputation.
To take this future-forward approach one step further, it is a good idea for merchants to approach fraud prevention with the same amount of forethought.
Adopt a Multi-Layer Strategy
To remain compliant with GDPR, you will be required to adopt a strong, multi-layered approach to fraud prevention and management. You need to useadvanced tools like AVS, CVV, and geolocation… to name just a few. The more safeguards you have in place and working together, the better.
Fighting back against fraud isn’t going to be your only concern, though. Although GDPR doesn’t directly impact your rate of chargebacks, your business will be affected by them no matter where in the world you operate.
Pairing effective fraud and chargeback management together can help your business not only meet the demands laid out in GDPR but could help you exceed them. To make this a reality, having a professional team with industry knowledge and expertise in your corner could be exactly what you’re looking for.
No one understands this better than the experts at Chargebacks911®. That’s why we offer the most comprehensive chargeback management services and products available. Call us today for your FREE ROI analysis.
FAQs
What is the GDPR?
The General Data Protection Regulation (or GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and human rights law, particularly Article 8 of the Charter of Fundamental Rights of the European Union.
What are the 7 principles of GDPR?
The 7 principles of GDPR compliance include: 1) lawfulness, fairness, and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability.
What was the main goal of the GDPR?
EU policymakers created GDPR regulations to standardize and improve consumer protections and increase consumer understanding of, and agency over, their own data. To do this, the law redefined much of the terminology concerning the mining, storage, and processing of consumer information and privacy.
Who does GDPR apply to?
If you sell goods or services to anyone that resides within or is a citizen of the EU, then GDPR applies to you, regardless of your location. This means that even tech companies in California, Texas, or Florida are beholden to the law if they operate websites that are available internationally that also track, analyze, and market to EU citizens. Thus, the only way to opt-out of General Data Protection Regulation is to refuse to do business in the EU.
Did the GDPR work?
GDPR did increase protections for EU consumers pretty much across the board. It also ensured that merchants who cater to EU consumers, even overseas, would be beholden to the same standards. From this standpoint, GDPR is an overwhelming success.
However, many merchants feel GDPR fell far short of its proposed benchmarks: namely, streamlined regulation and consistent implementation. Indeed, many merchants claim GDPR remains an infuriatingly complex set of imposed rules that fail to provide either benefit in any meaningful way.