General Data Protection Regulation (GDPR)

[Clodbuster]

Just been contacted by a company advising this will be mandatory from 25 May 2018. What the hell is it? Is it taking over from the PCIDSS certification or will we be required to fork out twice for the same thing?

I currently use Sagepay or PayPal for all transactions so do not get card details. The punter is transferred to their websites for this payment and returned when completed. I do have their addresses, phone numbers and emails required to process their order. I don't think I'm a "Processor" or a "Controller" - both terms that are spoken about in this article.

 

[TPTele]

GDPR is very confusing but I found these blog items to be helpful: http://www.yourbizdevteam.co.uk/blog/

 

[Nathans50]

With regards to the processing of payments you will be the Data Controller. Sagepay/Paypal will be the Data Processor. You control the lawful basis/reason for processing the data irrespective of which third party companies you use to process the data. I can't think of one business that won't be either a DC or a DP. Where personal information is handled in anyway, you are one or the other. I find it easier to put myself in the consumers shoes, if I were them who would I say is responsible for the data I provide...the company I've decided to receive the service/product from. It is them that decide why my data is necessary for the service/product, what it will be used for, how long they'll keep it for, who they will share it with (in your scenario). GDPR expects you to declare all of those decisions (not an exhaustive list above) in a privacy notice so that the consumer can make an informed decision prior to providing the data to you. In addition to this if you have employees you are most certainly a DC & same applies to their personal information you hold.