Our role as a data controller and what it means for you
Last editedJan 20202 min read
In February we wrote about our commitment to the upcoming General Data Protection Regulation (GDPR).
Under GDPR, businesses must operate as either a data processor or a data controller. In this blog, we explain GoCardless’ status as a data controller - and what that means for our customers.
As part of our preparation for GDPR, we have looked carefully at how we process data relating to customers who pay companies through GoCardless (‘end customers’).
From that analysis and taking into account UK and EU-wide regulator guidance, industry practice and legal advice, we've determined that we act as a data controller in respect of end customers (like many others in the payments space, including Square, PayPal and Visa members).
Ultimately, being a data controller means we have an even greater responsibility to protect your customers’ data - and we are directly liable to data protection authorities in relation to all obligations under the GDPR.
Data controller vs data processor
Under GDPR, businesses must comply as either data processor or data controller, in relation to specific data.
Data processors process personal data on behalf of the controller, but they don’t decide the purpose (the ‘why’) or the means (the ‘how’).
Data controllers determine the purpose of the processing and the means to achieve that purpose. Essentially they decide why and how the processing should take place.
Why is GoCardless a data controller?
In providing our customers with the best possible Direct Debit service, GoCardless makes a number of determinations on how and why data about end customers is used.
And as we offer an increasingly global payment service, we must make more decisions on how to use personal data to meet all the relevant requirements. For example, we must:
comply with our own regulatory requirements (e.g. those related to safeguarding of funds belonging to you)
comply with the rules of payment systems (e.g. the Bacs scheme rules that govern Direct Debit processing in the UK)
guard both you and GoCardless against fraud, money-laundering and similar threats.
What does it mean for you as a GoCardless customer?
As a data controller, GoCardless assumes more responsibility - for example for misuse of data or a breach, and we are directly liable to data protection authorities in relation to all obligations under GDPR.
Being a controller also allows us to better support your customers when they get in touch with us. For example, when end customers call us to update their bank details, or to ask for help with payment issues, we can provide them with clear and accurate support, and, importantly, respond directly if they exercise their individual rights under the GDPR.
It also means we may be able to offer additional, more sophisticated services to our customers further down the line. For example, we will be able to use open banking APIs to provide smarter, faster payments.
We take our responsibilities as data controller seriously and we are growing the team to make sure we continue to put privacy first. Since security and data protection are closely linked, we have taken on a new head of security, Alex Lucas (previously at Amazon), and this month we also welcome our new Data Protection Officer, Kasey Chappelle, from American Express Global Business Travel.
Next steps for our customers
If you’re on our Standard or Plus package, you don’t need to do anything. We will be updating our online terms and will email you directly with a link to the updated terms.
If you a GoCardless Pro customer, we’ll be in touch to notify you about the update to your contract T&Cs.
Other changes for GDPR
In preparation for GDPR, you can expect to see tweaks and small changes to the GoCardless product over the coming weeks, including new privacy notices and notifications about cookies.
These, along with other changes to our back-end processes which won’t be visible, are part of a wider privacy programme to ensure that our systems support GDPR requirements now and in the future.