How your data should be protected in light of the GDPR

How your data should be protected in light of the GDPR
  • GDPR requires clear specific consent and active opt-in for using clients’ data.

  • Carrier billing is the safest payment method in those terms, as it requires the least amount of data for processing payments.

  • Merchants and consumers still need to be careful on where their data ends up.

  • Fortumo only uses clients’ data to make payments. The data is always processed to the minimum extent necessary.

A year has passed from implementing GDPR and the upheaval that followed. 2018 was the year of regulations for the digital ecosystem. Both PSD2 and GDPR became active in the European Union. Other countries and regions of the world are following the lead to implement similar rules.

On the first day GDPR was enforced, digital giants like Google and Facebook were hit with lawsuits with claims piling up to billions of dollars. Of course Facebook has been accused of invading their users’ privacy non-stop for over a year now. For example Facebook misused the phone numbers people have provided for two-factor authentication. Basically if the user tried to enhance their security, they weakened their privacy, which is basically a lose lose situation for any user.

But user privacy was a rising concern even before GDPR. The United States people are more afraid of online identity theft than being robbed on the street. Big data breaches have resulted in huge lawsuit settlements for digital merchants. In the most sensitive cases, it can ruin or even end lives.

Most notable example of this comes from the dating segment, the Ashley Madison data breach: it is a site for enabling extramarital affairs. When it’s user data was hacked and leaked, it resulted in thousands of marriages and relationships breaking up, also at least few suicides have been linked to the incident.

The purpose of the GDPR is to make it easier for EU citizens to understand how their data is being used. GDPR requires clear particularized consent and justification for any personal data collected from users.

Specific consent requires a positive opt-in. To be valid, consent must be freely given, specific and informed, and involve some form of unambiguous positive action. The consumer should be asked to actively tick opt-in boxes to confirm using their data in a certain way.

For example this has made the practice of selling or using marketing lists a sketchy business - they can only be used if all the people on the list specifically consented to receive marketing messages.

Carrier billing and user privacy

For merchants using carrier billing, GDPR was actually a positive change as carrier billing is the payment method which requires the least amount of consumer data for processing transactions, while providing simplicity for consumers.

With a card-based transaction, the payment is always linked to the consumer’s real identity. With carrier billing users can choose to remain anonymous. In case of prepaid SIM cards, even the mobile operator does not know the identity of the user.

In light of this, carrier billing can be presented as a payment option to users who are afraid that their identity may be exposed online. Carrier billing is significantly more secure from the consumer perspective, because no personal data is transmitted or stored during the checkout process.

While carrier billing collects much less data, merchants and consumers still need to be aware of their rights. Merchants should do a thorough review of their partners so that the data doesn't end up in the wrong hands.