GDPR, One Year On

by PCI Booking – July 8th, 2019

The General Data Protection Regulation (GDPR) and all of the work the regulation threw at online merchant companies, is now over one-year-old. It has been a roller-coaster for many organizations trying to meet GDPR compliance. Requirements that encompassed breach notifications, allowing data subjects the ability to remove their data at will and understanding the nuances of consent have caused many of the headaches; however, overall, the GDPR has been designed for good.

The remit of the GDPR is to reinforce the idea of user control over the use of their own personal data. The focus is the enforcement of the principles of Privacy by Design and Default. Ultimately, this can benefit both the customer and the service; a more privacy-enhanced service seen as creating better, more trusted relationships, between both parties.

So, a year on, where are we? Has the GDPR been a successful regulation or has meeting the compliance been a commercial nightmare?

GDPR A Year On - What Has Happened?

Here are a few figures to give you an idea of where things are in terms of compliance with GDPR.

A Deloitte survey found that only 35 percent of organizations have a GDPR compliant data breach notification process. This is borne out by the first, post-enactment review by the European Data Protection Board (EDPB).

In terms of fines, we are beginning to see the strength of GDPR. British Airways’ remarkable, but still lower than possible, £183 million fine for a data breach is 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.

Over the year since the GDPR enactment, the general level of understanding of GDPR requirements has been good, but gaps exist. Around 57% of organizations know their country has a public authority responsible for data protection, but only 20% know who that is.

The general feeling is that organizations have made great attempts to meet the requirements of GDPR, but there is still some way to go. The fact that over 55 million euros worth of fines have already been issued confirms this.

How Can Online Merchants Avoid Becoming a GDPR Statistic?

The question remains, how can online merchants maintain or improve their GDPR compliance? Below we have highlighted some key areas that should receive focus to make sure you do comply and don’t become one of the statistics in the EDPB second year report.

Know Your Data: the GDPR rules concern many types of personal data. The broad classes cover personal data such as name, address, etc. and sensitive data which includes religious beliefs and health. You should work out what types of data you collect and what you do with these data. This will then inform what areas you need to change or which processes require updating to meet GDPR compliance. Article 9 of the GDPR describes the types of sensitive data the regulation covers. One more thing on data – only collect what you truly need to facilitate an online order, this is known as data minimization and it helps with GDPR and with data management.

Location, Location, Location – GDPR does not just apply to companies based in an EU state. The jurisdiction of the regulation extends outside the EU, if your company controls or processes the data of EU citizens within an EU state. For example, if an online merchant is based outside the EU, but sells goods and services to EU citizens in the EU, the GDPR will apply.

PCI Booking’s tokenization service allows merchants to choose from over fifteen different locations worldwide when deciding where to store customer data. In addition to this, it is possible to select different locations for different data, enabling you to be flexible according to your individual compliance requirements.

Secure storage: The GDPR requires that the right level of data protection be applied. This includes robust access control measures (authentication) and encryption. Online merchants typically collect data that consists of the user’s details, name, address, etc., and financial data. To securely transmit and store these data you need the right technology in place.  Services such as PCI Booking’s Datablock Tokenization securely stores all customer data. (including email address, passport number, date of birth, etc.) not just credit card information. This ensures that you protect the data classes as required by the GDPR.

While it might seem that credit card information falls under the GDPR, it actually falls under a higher level of compliance called “PCI compliance” which requires a higher level of security in terms of storage. PCI Booking can help you achieve PCI compliance with our leading Credit Card Tokenization service.

What is DataBlock Tokenization?

With DataBlock Tokenization, PCI Booking offers a PCI compliant level secure tokenization system for protecting non-payment information which, while not under the scope of PCI DSS, is still required to be securely stored; for example, protecting traveller information due to GDPR regulations. Merchants using PCI Booking to protect their customers’ payment information can now also protect any additional data they deem necessary; such as traveller information or PNR records.

Third-parties and data sharing: The GDPR sets out requirements for organizations that are ‘data controllers’ and ‘data processors’. Make sure you know which camp you fall under – check out Chapter 4 of the GDPR for details on what the requirements are for each.

Consent and opt-in: The area of consent has been one of the most discussed and thorny issues, especially for online merchants. Consent is a lawful basis of the GDPR, and as such, plays a crucial part in adherence to the regulation. This is reflected in the fines, with consent non-compliance attracting the highest level of fine at 4% of annual global revenue or 20 million euros, whichever is higher. Consent MUST be taken whenever you collect or process personal or sensitive data. You must collect this consent as an affirmative action (opt-in) using clear language. There are some ways of handling consent, such as ‘legitimate interest’, that can help reduce the consent overhead. Article 6.1 of the GDPR outlines this in more detail, but the basic premise is that you must be able to process data to service a contract properly.

Data subject rights: The GDPR sets out eight ‘data subject rights’, i.e., what users have the right to do with their data. This covers everything from the right to delete data and online accounts to being able to move data from one online merchant to another.

Breach notices: If your organization is a victim of a data breach, whether accidental or malicious, you must have a strategy in place to deal with the breach and to notify the right authorities. If not, you will be in breach of GDPR and be liable to a fine of 2% of annual global revenue or 10 million euros, whichever is higher. Your Supervisory Authority must be notified of a data breaches within 72 hours of the breach being identified. It is worth noting that if data is breached, but encrypted, being able to demonstrate this will help your case.

Performing a DPIA when any changes happen: A Data Privacy Impact Assessment (DPIA) is part of the GDPR reporting and documentation requirements.  They are a useful discipline as they give you a view of how well (or not) you are adhering to the privacy expectations of the regulation. A DPIA should be done regularly, but especially if you make any changes to the way you collect or process data.

Why is it Important for Online Merchants to be GDPR Compliant?

Getting into compliance with the GDPR might seem like a hurdle to doing business but it is about being privacy respectful. Respect for customer privacy is now a goal for all. In a recent study, 46% of consumers would ‘give a pass’ to a company who had suffered a data breach. It is in everyone’s interests to take data security and privacy seriously. However, the online merchant, perhaps more than most, has a vested interest in ensuring their clients’ have a safer internet experience.


Like it or loathe it, the GDPR is not going away. GDPR compliance is also an ongoing concern that needs to be reinforced by robust technologies like encryption. PCI Booking has designed their Datablock Tokenization service to help you meet the robust expectations of the GDPR around data protection and storage.