New EU Policy Has Legal and Financial Ramifications for US Businesses
The General Data Protection Regulation, recently approved by European Parliament, is the first global data protection policy. Officials claim the new regulations will “strengthen and unify data protection for individuals within the European Union”—but at what cost to service providers?
With just one year until non-compliance penalties are implemented, businesses are questioning the outcomes of this unprecedented legislation.
Who Will Be Impacted? Everyone Who Does Business in Europe.
Experts at the International Association of Privacy Professionals estimate GDPR will have three times as many articles as the incumbent privacy legislation. The reason is primarily due to the scope of implementation and the new definition of “personal data.”
GDPR is revolutionary in the fact that it is the first effort to extend EU data protection laws to international businesses. Both local and international businesses that sell to EU customers will be impacted, as any company that controls or processes the personal data of EU residence is subject to the law.
Additionally, the definition of personal data has been broadened.
According to a recent survey, 52% of large U.S. companies control or process this type of information.
Policy makers claim that streamlining regulations within the EU will make compliance easier for businesses—both in Europe and abroad. However, the convenience of standardized policies comes at a cost.
GDPR Will Fundamentally Change the Way Businesses Operate
Enforcing regulations that apply to how a business manages data—which for many companies, is what drives the majority of their operating procedures—will understandably revolutionize day-to-day functionality.
The most impactful outcomes of GDPR will be derived from three things, the first being mandatory consent.
Businesses must secure customer consent before using personal information in any way other than the exact purpose for which it was originally agreed, revealing exactly how the information will be used. This consent also applies to data that was acquired prior to the law’s enactment.
Consumers must opt-in; consent cannot be implied. Businesses must be able to prove consent was obtained, and language must be easy-to-understand so that consumers can make an informed decision.
Research has found that 80% of survey respondents do not explicitly ask for permission or are unsure of the company’s policies regarding consent.
2. Right to Erasure
The next significant policy nuance is the right to erasure, or the “right to be forgotten.”
The GDPR stipulates that data can’t be held longer than necessary, the business can’t change the use of data from the purpose that it was originally collected, and consumers can request that their personal information be removed from the business’s database.
Not only that, but company’s must know exactly where every instance of personal data is located so it can promptly and effectively be removed—yet 78% of CIOs acknowledge that it is difficult to pinpoint exactly where data is stored. Unfortunately, one of the GDPR requirements is that businesses can demonstrate their ability to adhere to erasure requests.
3. Privacy by Design
Lastly, organizations must operate with privacy by design. Adherence to privacy regulations must be integrated into the very functionality of systems and technologies, with default privacy settings set at a very high level.
Part of this privacy by design includes the appointment of a data protection officer, which will be a requirement for approximately 28,000 EU businesses. Previous privacy laws that were applied based on the business’s size will be replaced with ones that are assessed based on data usage.
Despite high standards and professional supervision, there is still a likelihood that data will be compromised. In such cases, businesses are required to maintain technology that will detect breaches and allow for disclosure within 72 hours.
An inability to establish an effective privacy by design structure will result in severe consequences, up to €20 million ($21.2 million) or 4% of annual worldwide turnover—whichever is greater.
The act of creating privacy by design will be complicated by the fact that Europe’s international trade policies, mainly the Digital Single Market, does not correlate with GDPR timelines.
How GDPR Will Impact Risk Exposure
The implications of GDPR will be extensive and significant. Merchants can expect the following as some of the likely outcomes.
Current Challenges Will Become More Pronounced
Compared to the strict expectations outlined in the General Data Protection Regulation, the world’s current stance on privacy could almost be considered lax.
Despite a seemingly limitless amount of available data analysis opportunities, merchants still struggle to effectively detect and mitigate fraud. Businesses lost $8.6 billion last year to false declines—while actual fraud loss totaled just $6.5 billion.
“The frustrating thing is that most companies have purchased expensive technology from the IT industry, but are just not managing it properly. We find that there’s nearly always sufficient information and intelligence held on computer systems and networks to alarm and detail fraudulent activities. However, this information is often not collected and acted on in the right way.”
If businesses were unable to capitalize on their own data when it was freely given and absent of anonymization, how will they succeed once GDPR is enforced?
Friendly Fraud Will Increase
Consumers who are loyal to a brand and feel a connection to the services being offered are far less likely to engage in cyber shoplifting or friendly fraud. However, the internet has made brand loyalty nearly obsolete. Consumers are interested in who has the quickest, cheapest, and more convenient offers.
Despite this trend, some brands have managed to maintain fairly successful loyalty programs. These help keep the brand in front of the consumer and generate positive associations because of things like discounts and special offers.
However, if merchants are forced to disclose exactly how personal information will be used to create targeted and individualized ads, consumers will be far less likely to opt into programs. Thus, a valuable and effective friendly fraud prevention tactic is forfeited.
Chargeback Management Will Be More Complex and Less Efficient
As part of the new disclosure and consent laws, merchants will need to state their intentions regarding chargeback management before the transaction is even finalized.
There is a chance that this disclosure could deter friendly fraudsters who set out with the intention to get something for free. If they know the business will challenge their illegitimate chargebacks, they might be less inclined to initiate them.
However, the stronger likelihood is that consumers will be informed of merchants’ rightful actions as authorized by card networks but misconstrue the intentions. Since very few consumers understand the full rights offered through representment, consumers will likely assume the merchant is stating fraudulent practices will be conducted against the consumer—and ask for consent to do it!
If merchants don’t seek consent to use personal data for chargeback representment, there is no opportunity to dispute friendly fraud, as needed information would be off limits. However, if merchants do request consent, they’ll likely risk shopping cart abandonment.
The Efficiency of Fully-Automated Chargeback Management Will Be Diminished
Profiling is a practice that has become quite popular in recent years. It is the process of analyzing data to draw conclusions about the data subjects and taking relevant action. It is the driving idea behind targeted marketing—creating content that appeals to an individual based on previously identified preferences and actions.
It is also a common component of the most basic friendly fraud detection tactics and fraud prevention tools based on machine learning.
Now, the act of profiling—using automated data analysis and formulating decisions based upon the process—will be heavily regulated by GDPR. Not only that, but consumer are granted the right to challenge decision-making that is purely algorithmic.
However, the policy clearly excludes processes that are not automated, meaning human intelligence is required.
Not only has human intelligence proved capable of yielding superior chargeback management results, it is also the only way to ensure any action at all can be taken.
GDPR Compliance Will Mimic EMV Adoption
The transition to EMV technology in the U.S.—which proved to be a significantly-delayed and inefficient system—serves as an cautionary example of how GDPR requirements will be implemented.
Research has revealed that 74% of UK merchants claim to know very little about GDPR, and only 10% are confident they’ll be fully compliant by the GDPR implementation date. Globally, 80% of merchants know little to nothing about the General Data Protection Regulation, and less than 33% feel they would be prepared if GDPR were enacted today.
As the industry witnessed with EMV’s patchy adoption and slow transition, non-compliant merchants jeopardize more than just their own bottom line. They simultaneously increased risk exposure for other industry members.
Inconsistently applied standards harm everyone involved.
Recognizing Challenges and Creating a Proactive Response
These expressed implications are just the beginning of what will prove to be a very far- and long-reaching legislative venture. It is imperative that global eCommerce merchants and payments industry members recognize the upcoming challenges and create a strategy to proactively address the associated risks.
If you’re concerned about how Europe’s General Data Protection Regulation will impact your business, contact Chargebacks911® today. We’d be happy to help you identify the unique implications for your company and create a risk-free strategy to optimize profitability in a global marketplace.