Our role as a data controller and what it means for you
In February we wrote about our commitment to the upcoming General Data Protection Regulation (GDPR).
Under GDPR, businesses must operate as either a data processor or a data controller. In this blog, we explain GoCardless’ status as a data controller - and what that means for our customers.
As part of our preparation for GDPR, we have looked carefully at how we process data relating to customers who pay companies through GoCardless (‘end customers’).
From that analysis and taking into account UK and EU-wide regulator guidance, industry practice and legal advice, we've determined that we act as a data controller in respect of end customers (like many others in the payments space, including Square, PayPal and Visa members).
Ultimately, being a data controller means we have an even greater responsibility to protect your customers’ data - and we are directly liable to data protection authorities in relation to all obligations under the GDPR.
Data controller vs data processor
Under GDPR, businesses must comply as either data processor or data controller, in relation to specific data.
Data processors process personal data on behalf of the controller, but they don’t decide the purpose (the ‘why’) or the means (the ‘how’).
Data controllers determine the purpose of the processing and the means to achieve that purpose. Essentially they decide why and how the processing should take place.
Protecting our customers’ data: GDPR and the GoCardless Privacy Programme
Protecting our customers’ data is a priority for GoCardless. With the General Data Protection Regulation (GDPR) coming into effect in May, we welcome the opportunity to deepen our commitment in the area of data privacy.
We are making changes to our policies, processes, products and systems to ensure that we comply with the Regulation and continue to put data protection first. We’re also committed to helping our customers meet their requirements under the Regulation.
GDPR: A new data privacy landscape
Advances in technology over the last decade have led to the proliferation of personal data. More organisations are sharing and collecting different types of personal data than ever before: from IP addresses through to health data, purchasing behaviour, viewing preferences and more.
- From 25 May 2018, organisations who handle personal data will need to meet new legal requirements, as the General Data Protection Regulation comes into effect across the EU (replacing the 1995 EU Data Protection Directive).
- On the same day, the UK’s Data Protection Bill will pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.
New Bacs Direct Debit rules make it easier for customers to switch provider
We’re delighted to share news that Direct Debit providers can no longer stop customers from switching to another provider, thanks to changes in the Direct Debit scheme rules, announced by Bacs on 10 November and supported by the UK Payment Systems Regulator (PSR).
We believe that every business should be able to move between payment providers freely, so we’re delighted that Bacs is making these rule changes, which GoCardless has campaigned for since 2015.
What is changing?
Under the old rules, companies who processed Direct Debit on behalf of merchants (sometimes known as Facilities Management or ‘FM providers’), could request that an outgoing Direct Debit provider transfer across all of a customer’s existing Direct Debit mandates to them, known as the bulk change process. However, the outgoing FM provider was under no obligation to meet that request.
The new rules, which take effect from January 2018, require all FM Direct Debit providers using the Bacs Direct Debit scheme to be certified by Bacs. As part of that certification, FM providers must commit to use the bulk change process.
A day in the life of our Head of Legal
I’m the Head of Legal at GoCardless. My role is really varied so there’s no such thing as a typical or predictable day for me - I get involved in all kinds of tasks from designing a new contract management system through to reviewing foreign law advice on our international expansion.
Starting the day strong (and a little bit bruised)
I love to exercise and try to fit it in each morning - I think it’s a key part of my day and helps me feel energised. For the past three months I’ve been taking part in CrossFit at CrossFit CityRoad - it’s great but a real challenge; I’m using muscles I didn’t even think I had, and the ones I have seem useless!
After my workout, I’ll head into the office where I’ll make breakfast before checking my emails. There’s a pretty amazing selection of breakfast foods, with (literally) dozens of choices of granola. I try not to succumb to granola temptation, and typically have scrambled eggs on a bagel.