Payments Data Platform | Modernbanc
<- Back to all posts
Education

GDPR Compliance Primer.

Gregory Gevorkyan image
Gregory Gevorkyan
11 Feb 2024

Overview

  • In 2018, the European Union passed the General Data Protection Regulation (GDPR), one of the most strict and far-reaching data privacy rules in the world. This legal set of principles regulates how companies collect, use, and store the data of European citizens, regardless of where the company is located.
  • Your business might not specifically market your products and services to EU citizens, but if a citizen visits your website, you’re still responsible for complying with the GDPR.
  • Under this law, individuals, also called data subjects, have a right to be informed about any processes pertaining to how their personal data is collected, accessed, rectified, restricted, and erased. Perhaps most importantly, businesses must gain the consent of data subjects before collecting any data.

How important is GDPR compliance?

The GDPR is over 85 pages long so staying in compliance can be challenging. Regardless, you can’t ignore this regulation; one of the consequences of non-compliance is a sizable fine.
For the most severe infringements, your business can be fined up to €20 million or 4% of your annual worldwide revenue. The biggest fine to date was charged to Meta in 2023, coming in at €1.2 billion for incorrectly transferring European data to the United States. Here’s a breakdown of the GDPR and how Modernbanc can help you with your data processing needs.

What are the 7 principles of GDPR?

If your company processes data, you must operate within the 7 principles of GDPR:

  • Principle 1: Lawfulness, fairness and transparency
    • Users should never be in the dark about why you’re collecting their data, who you are, and how you plan to use their data.
    • You must have a good reason for collecting and processing personal data. This may be to fulfill a contract or uphold a legal obligation. No matter the reason, you also need your data subjects’ consent to use their data.
  • Principle 2: Purpose limitation
    • Once you’ve received user consent to process data, you can’t use the data for another purpose without asking for consent again. In short, avoid the temptation to use data for new reasons without giving your users the chance to assert their rights to their own data and its processing.
  • Principle 3: Data minimization
    • The data you collect must be relevant and limited to what’s necessary in order to fulfill your stated purpose. If you don’t absolutely need additional information, like phone numbers, physical addresses, or demographic data, you should not collect and retain that data.
  • Principle 4: Accuracy
    • Your business is responsible for the accuracy of the data you have on your users. Establish checks and balances for how you collect, update, and erase data. Your users have the right to ask that any inaccurate or incomplete data be fixed or erased within 30 days.
  • Principle 5: Storage limitation
    • Don’t keep data for longer than you need it. The GDPR does not set a specific time frame for storage limitation so it’s up to your company to justify your data retention policies. Document how and when you will review the data you hold, including how you will erase or anonymize your data once it’s no longer needed. Staying compliant with this principle will help you stay compliant with the data minimization principle.
  • Principle 6: Integrity and confidentiality (or principle of security)
    • Your company is responsible for avoiding data breaches, both online and at your physical and organizational levels. Ensure that data can only be accessed by authorized individuals and that you have critical safeguards like cybersecurity certifications, secured facilities, encrypted data, and data backups.
  • Principle 7: Accountability
    • Your company is responsible for the data you collect and your compliance with all 7 GDPR principles. Study security practices, keep an inventory of your data, secure consent from users, and perform regular assessments of your data policies on a regular basis. Show individuals that you respect their rights and take their data protection seriously.

What are the 2 main roles and responsibilities in GDPR compliance?

The data controller

  • If your company is in charge of determining the purpose of the data you’re collecting, processing, and storing, then you qualify as a data controller. In short, you’re in charge and responsible for processing activities, even if you use a third party data processor.
  • It’s your responsibility to choose data processors that can prove they comply with all of the principles and limitations of GDPR, and any other other laws that are relevant to your operations.

The data processor

  • A data processor can be a company, legal entity, or an individual that processes data on the behalf of another organization. Even though the data processor doesn’t collect the data itself, it still must maintain records of data and comply with GDPR guidelines.
  • SaaS and IT solutions are often data processors. They aren’t concerned or involved with the purpose of the data and how it’s processed, but they’re still responsible for protecting the rights of the data subject and ensuring security measures are in place.

How to comply with GDPR when you collect data directly

  • If you collect data directly from data subjects, you’re responsible for being transparent about why you’re collecting the data and how you intend to use it. You must have a lawful basis, obtain consent from individuals and respect their rights under GDPR, and follow the principle of data minimization.
  • You’re also responsible for implementing security measures that protect the data you collect. This includes having data processing agreements with all data processors that you use, conducting data protection impact assessments, training your employees on security measures, auditing and reviewing your compliance, and setting procedures for notifying users of a data breach.

How to comply with GDPR if you collect data indirectly via partners

  • Even if you’re not the party directly collecting data, by processing that data you’re just as responsible for GDPR compliance. Make sure you have data processing agreements in place with your partners and that they have consent from users and a lawful basis for collecting and processing personal data.
  • The end user must know that the data ends up with you and your partners should reflect that in their Terms agreement with that end user. They must either mention you directly or explain to end-user that their data may be shared with third-party subprocessors and for what purposes, with a link to a page with list of current sub-processors.
  • If you're acting as a data processor for your partners, it's crucial to have a Data Processing Agreement (DPA) in place with each partner.

Special Category Data (important)

Particularly sensitive data (also known as Special Category Data) requires much stricter security and encryption measures.

Special category data includes ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data, sex life or sexual orientation information, and more.

Modernbanc can help you stay GDPR compliant

Modernbanc takes GDPR compliance seriously. We’ve been assessed and certified by independent auditors for SOC-2 Type II and PCI-DSS Tier 1.

Our Encryption Vault as a service enables our customers to collect, process, and share all kinds of sensitive personal data, payment data, and card data.

  • Security: To uphold the GDPR principle of security, Modernbanc uses advanced encryption algorithms and procedures. This algorithm uses 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with internal metadata. Modernbanc also ensures network isolation, encryption key ring management and rotation alongside other measures.

  • Special Category Data: Encryption Vault is designed for extra security, making it a secure and GDPR compliant place to collect and store Special Category Data, which is personal data that holds more risk and sensitivity.

  • Storage Limitation Encryption Vault also enables your business to stay compliant with the GDPR principle of storage limitation by setting a deletion data to automatically ensure that your data isn’t stored for longer than needed.

Learn more about Modernbanc Vault

Want to hear more about how Modernbanc’s Encryption Vault can help you collect, store, and use data while staying compliant with GDPR?

Check out our docs to learn more or book a demo to discuss your unique needs.

SOC-2 Type II
PCI-DSS Tier 1