in Announcements, Business

Protecting our customers’ data: GDPR and the GoCardless Privacy Programme

Protecting our customers’ data is a priority for GoCardless. With the General Data Protection Regulation (GDPR) coming into effect in May, we welcome the opportunity to deepen our commitment in the area of data privacy.

We are making changes to our policies, processes, products and systems to ensure that we comply with the Regulation and continue to put data protection first. We’re also committed to helping our customers meet their requirements under the Regulation.

GDPR: A new data privacy landscape

Advances in technology over the last decade have led to the proliferation of personal data. More organisations are sharing and collecting different types of personal data than ever before: from IP addresses through to health data, purchasing behaviour, viewing preferences and more.

  • From 25 May 2018, organisations who handle personal data will need to meet new legal requirements, as the General Data Protection Regulation comes into effect across the EU (replacing the 1995 EU Data Protection Directive).
  • On the same day, the UK’s Data Protection Bill will pass into law, as the Data Protection Act 2018, effectively implementing the GDPR into UK law.

GDPR, and the forthcoming Data Protection Act 2018, expand the privacy rights granted to data subjects (EU/EEA individuals) and place greater obligations on organisations who handle personal data of those individuals (data controllers and processors), wherever those organisations are based.

The Regulation and accompanying UK Act will standardise data protection laws across EU member countries (and post-Brexit UK), giving EU and UK citizens greater control over their personal data. For example, making it easier to understand how your data is being used, and ensuring that the organisations you entrust with your data are taking care of it.

What we’re doing to comply with GDPR

As an organisation that handles personal data (e.g. name, bank account details, email and address of the end customers who pay our merchants), GoCardless is committed to ensuring that we are compliant with GDPR.

Some of the steps we have taken and are taking include:

  • mapping all data handled by GoCardless and our suppliers
  • analysing GDPR requirements against our current processes and policies
  • making changes to our products and processes in line with requirements
  • reviewing and updating contracts, as and where appropriate
  • training all staff on the requirements of GDPR and GoCardless’ data privacy procedures.

GoCardless Privacy Programme

Organisations must ensure that they are compliant with the provisions of the GDPR when it comes into effect, but the requirement to be compliant doesn’t end on 25 May.

While there are boxes that need ticking, GoCardless’ approach is not only to fix immediate issues, but to implement ‘privacy by design’. In 2017, we launched the GoCardless Privacy Programme, appointing privacy champions in every team across the business, to drive privacy compliance and embed the principles of GDPR (transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality and accountability) throughout the entire organisation, at every level.

With our Privacy Programme, we aim to ensure that data privacy is a day to day consideration across the business, for all our team members and central to how we work - from onboarding new employees to choosing new suppliers and launching new product features.

To find out more about data protection at GoCardless, see our FAQs.

GoCardless and GDPR
View our customer FAQs