GDPR and the right to be forgotten

Millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.

Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR), a new regulation which aims to give consumers greater rights and security over how their data is used.

GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU, but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance.

Merchants, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.

What is GDPR?

GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 1995, while eCommerce sales are over €500 billion a year in Europe alone.

The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.

For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.

GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business

GDPR: Key implications for merchants

This quickly became known as the ‘right to be forgotten’ and, following the ECJ case, it has been included in GDPR.

The right to be forgotten is a particular challenge for organisations because of the rich web of information that’s held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone’s personal information from all of their payment transaction record histories; if they so request.

It’s also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request. Yet a recent survey in the UK by Compuware showed that 71 percent of retailers do not always know where their customer data is stored. 4

The emergence of the DPO

One of the ways in which businesses can manage the new regulatory landscape is by appointing a data protection officer (DPO) with company-wide responsibility for ensuring that protection guidelines are followed. Employing a DPO will be mandatory for publicly-owned bodies, companies that regularly and systematically monitor data subjects on a large scale (such as banks or web analytics companies), or firms that handle data of a highly sensitive nature. However, it is a best-practice approach that is relevant for all companies.

Company-wide involvement

A key aspect of preparing for GDPR is understanding that it’s an issue for everyone within the company. Devising a response will require a coordinated approach across the organisation, because one change can have an effect on another department. For example, making changes to consent may entail customers filling in lengthy forms, which may have an effect on online purchases, leading to an increased amount of shopping cart abandonment. So, making changes is not just the responsibility of one department — there’s a need for firms to take a wider view. GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.


Merchants are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.

GDPR shouldn’t just be thought of as a burden: the organisational changes will mean greater transparency and will also offer more security for customers. Restricting the effectiveness of cyber criminals, and reducing the threat of breach, will be especially advantageous for merchants, which are frequent targets for these attacks. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers. By prioritising data security, they are demonstrating a willingness to put customer concerns first, which could result in reputational benefits, especially if the provisions they implement are in advance of what is required by the letter of the law.

In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don’t delay, however, the time for action is now: companies who haven’t started thinking about it, may find it’s already too late.


By Catherine Moore, President, J.P. Morgan Merchant Services Europe

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at