What is SmartDebit doing about GDPR?
The General Data Protection Regulation (GDPR) will apply from 25 May 2018. It will supersede the UK Data Protection Act 1998. The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal information is collected and processed. It also places a range of new obligations on organisations to be more accountable for data protection.
We outline below the positon SmartDebit is taking. Note that this is neither guidance nor legal advice. It is just our understanding of GDPR.
Data Controller and Processor
Under GDPR, you are the Data Controller, the entity that decides what data to collect, and why, from your customers. Bacs states on its website that it and the banks operating the scheme are all joint controllers with you. SmartDebit is a Data Processor, an organisation which provides Direct Debit or cheque processing services on your behalf.
This means that you need to create effective data protection on behalf of your customers. This should be simplified by using the services of SmartDebit, because you reduce the risk of storing and processing payer data yourself.
What is SmartDebit doing?
SmartDebit already aligns very strongly with the current UK Data Protection Act. All the data we collect from payers is held securely and used solely for the purpose of processing Direct Debits, and communicating with payers about Direct Debits within the Bacs approved scheme. We do not use this data for any other purpose and we have many controls in place to ensure data security, contributing to our ISO 27001:2013 accreditation.
This all means that changes under GDPR for SmartDebit are largely documentation based.
How does this affect your relationship with SmartDebit?
There are very few changes. We already fully comply with the UK Data Protection Act. You may want to ensure GDPR is covered in contract with your payers, and you may want to use our security documentation when challenged as evidence of your compliance as a Data Controller using “appropriate technical and organisational measures to protect data”. In fact, this is one of the key advantages of using a processor like SmartDebit, rather than storing bank data yourself – we are accredited by the Financial Conduct Authority and externally certified for information security under ISO 27001:2013.
We will be updating our contracts in line with GDPR by 25th May and will send out an addendum to you by email. Obviously, the contract and addendum contain the legal detail, but as a brief guide for your own compliance work we provide information here.
Here are the key things you should know:
- We commit to following all applicable EU and UK data laws.
- We will only process payer data as defined by the Direct Debit scheme and in our contract with you (or as required by appropriate EU law or UK regulator).
- We will not share payer data with third parties for any purpose other than providing the service for which you contracted with us.
- We will assist where necessary in providing information you require as a Data Controller.
- If we need to include other subcontractors or sub-processors to provide the service, this will be carried out in line with GDPR rules and agreed at the point of contract, or with your written permission thereafter. We would only consider sub-processors with similar security levels to our own.
- We currently only have two subcontractors providing services involved with your data. These are:
- Incapsula – which provides our DDoS protection service. HTTP requests being sent across the internet to our data centres have their headers briefly decrypted (in EU data centres) to check that the data was not sent as an attack. No data is stored at rest.
- SmartDebit’s data centres – where our data is stored on encrypted disks in custom locked racks, with SmartDebit-controlled CCTV. For the purposes of GDPR data law, our data centres are not really a sub-processor as they have no access to your data, but for completeness, we include them here.
- We will not store data outside of the EU.
- We will implement appropriate technical and organisational measures to protect payer data (security and infrastructure documentation or our ISO27001:2013 accreditation for examples of this).
- We will promptly inform you of any data breach – as we operate now.
If you are a SmartDebit customer and have any questions, please contact Customer Services at email@example.com or call 01276 851820.