regulation their customer materials and revise them accordingly, recognising that the industry has often relied on ‘deemed’ or ‘course of conduct’ consent. New obligations More significantly, the GDPR will introduce requirements that are entirely new or were previously applied only in particular Member States or to particular industries. Central to the GDPR are new ‘accountability’ obligations requiring businesses to be able to demonstrate compliance with the GDPR. These include the maintenance of documentation describing processing operations, and the conduct of privacy impact assessments for processing that poses specific risks. The GDPR will also require the appointment of a data protection officer (DPO), depending on factors such as the number of people employed by the business or the invasiveness of data processing. Notification of security breaches The GDPR’s most dramatic new obligation is an EU-wide breach notification requirement. Under current EU data protection rules, only providers of public ‘electronic communications services,’ such as telecommunications and internet service providers, are required to notify security breaches. Additionally, in some jurisdictions, national rules may require (e.g.

Austria, Germany) or national data protection authorities (DPAs) may recommend that a wider range of breaches be notified (e.g. Belgium, France, Ireland, Italy, Spain, UK). The GDPR’s breach notification requirement will apply across the EU to companies in all business sectors. Although they differ on particular points, the Commission, the Parliament and the Council all agree that national supervisory authorities and data subjects likely to be adversely affected should be notified of security breaches. The payments industry will continue to be a target for hackers given the value of payment card details, and this threat seems to be ever-increasing in scope and sophistication.

Accordingly, in addition to ensuring that appropriate information security measures are in place, all players in the industry will need to define and document an incident response plan in advance, where notification is one but not the only item addressed. Draconian penalties Fines proportionate to global turnover will inevitably elevate privacy on the corporate compliance agenda. Although the Commission will not have the power to sanction data protection infractions under the new regime, the DPAs will be empowered to impose fines set forth in the GDPR at extraordinarily high levels — currently proposed at up to €100 million or 5 percent of worldwide turnover as per the Parliament’s proposed text — depending on the nature, gravity, duration, and intentional or negligent character of the infringement. The adequacy of the information security measures protecting personal data against unauthorised access will also influence the penalties assessed. A new regime for third-party processors? Apart from introducing new compliance requirements, the GDPR also fundamentally overhauls EU privacy regulation by creating new obligations and potential sanctions and other liabilities for data ‘processors’.

In general terms, ‘processors’ are outsourced service providers (e.g. merchant acquirers and other third-party processors) that process data on behalf of businesses, such as data storage, payroll administration or payments. Under the current Data Protection Directive, compliance is squarely the responsibility of the data controller which is the business that hires and uses the data processor. In contrast, under the GDPR, the processor will have express responsibility, along with the controller, to ensure that appropriate information security measures are in place to address the risks presented by processing the data.

Furthermore, the GDPR will make 30 payments cards and mobile | November | December 2015 processors directly liable for harm caused by processing. Although the EU institutions differ on the particulars, the GDPR will provide that compensation for damages caused by harmful or non-compliant processing may be sought from either the controller or the processor. Indeed, the Parliament’s text of the GDPR would establish joint and several liability, where more than one controller or processor is involved, subject to prior agreement by the parties on the allocation of liability. In principle, under this scenario, a processor (e.g. a merchant acquirer) could be liable for the entire amount of damage stemming from a security breach, even though the breach resulted entirely from the controller’s (e.g. a retailer’s) failure to implement adequate security measures with respect to its own premises, systems or POS devices. Determining whether a party in a payment servicing relationship is a ‘controller’ or a ‘processor’ – or both — can be a complex exercise.

Merchant-acquirers, for example, act in a service capacity when they complete payment transactions on behalf of merchants; in that respect, they can be considered to act as processors. However, merchant-acquirers also have a very substantial role in determining the specific means used to process payments, and they may also process transaction data to provide value-added services to merchants; in those respects, they may also act as controllers. The GDPR may reduce the importance of this sort of parsing since both controllers and processors will be responsible for implementing appropriate information security measures, and both will potentially be liable in fines and damages for non-compliance. Payment industry participants will need to analyse the disposition of these issues in the final GDPR. Controllers and processors will need to agree upon appropriate liability allocation and indemnity provisions in their service agreements. And so, we are all on notice: while the GDPR is not yet a reality, it seems increasingly likely that the GDPR will become, along with the Interchange Regulation and PSD2, part of the regulatory landscape that payments industry participants must navigate.

â–  www.paymentscm.com .