{"componentChunkName":"component---src-templates-blogpost-tsx","path":"/blog/gdpr-what-you-need-to-know","result":{"pageContext":{"isCreatedByStatefulCreatePages":false,"id":"6485c954-90d8-5a7b-bc32-6509ac8036f2","title":"GDPR – What You Need To Know","slug":"gdpr-what-you-need-to-know","published":"2018-03-26T00:00:00.000Z","author":"Dan Whale and Danielle Herndon","content":"\nIf you were not aware, Europe is set for its biggest data protection shake-up in 20 years. From May this year, the General Data Protection Regulation (GDPR) devised two years ago will be enforced. It replaces the EU-wide 1995 Data Protection Directive and the UK’s own 1998 Data Protection Act (which is heavily based on the former).\n\nWhy is this happening? GDPR has been established to protect people. As the economy has become more and more digitised, the level of personal information available online has increased. This has made, and continues to make, customers vulnerable to hackers and thieves, who can use and abuse this information for their own profit. Furthermore companies have become accustomed to collecting large amounts of unnecessary data for their own benefit - simply because they can. With these factors in mind, the core principle of GDPR is to specify how personal data should be used and protected.\n\nThe Information Commissioner’s Office, the UK body responsible for enforcing these changes, has assured that these changes are “evolution, not revolution” and that businesses should not be scared of them. However, they certainly should be aware of them. Failure to comply can result in fines of €20m or 4% of annual turnover, whichever is greater. Restaurant chain Wetherspoons went as far as [deleting hundreds of thousands of customer emails](https://gdpr.report/news/2017/06/30/jd-wetherspoon-purposely-deletes-entire-mailing-list/) to avoid any risk of penalisation. It decided that the marketing value the emails possessed did not match the cost of effective compliance in the face of GDPR.\n\nThis blog therefore aims to offer guidance, outlining the essential requirements of GDPR, the effects they might have, and providing a 12-step guide that all businesses can follow.\n\n<div class=\"box\">\n  **_Glossary:_**\n  <p>\n    **Personal information/data** - Any information the can be used to identify an individual. This could be name, date of birth or even an IP address. This may refer to customers, employees, clients and more.\n    </p>\n  <p>\n    **Controller** - An entity that decides how and why personal data is used or will be used.\n  </p>\n  <p>\n    **Processor** - The designated entity that processes the data on behalf of the controller. The term processing equates to obtaining, recording, adapting or holding any personal data.\n  </p>\n</div>\n\n### Essential Requirements\nThe essential requirements of GDPR can be split into 7 main areas:\n\n- **Consent:** Companies must obtain consent in order to process personal data, unless they have legal or legitimate reasons to do so. This consent cannot be hidden in undecipherable legalese within the Terms and Conditions, and withdrawing consent must be as easy as giving it.\n- **Breach Notification:** If a company suffers a security breach, they must inform their controllers, their customers and the ICO within 72 hours or face penalisation. FCA/EEA regulated firms should also consider their obligations under [PSD2](https://paybase.io/blog/psd2-what-is-it-will-it-affect-me) relating to incident reporting.\n- **Right to Access:** Previously, data controllers could charge £10 to supply customers with a copy of all information held on them. Now, all companies must provide a free electronic copy of said information within a month of it being requested.\n- **Right to be Forgotten:** Customers have the right to request their data be deleted without undue delay if they no longer want it to be processed - barring firms that are required to retain records for legal purposes.\n- **Data Portability:** Customers have the right to take the information companies have collected on them and transfer it to other IT environments. For example, banking customers have the right to take their banking data and transfer it to a third party price comparison website.\n- **Privacy by Design:** Under GDPR, businesses have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This prevents firms from attempting to bolt on these measures after building their product or service and encountering difficulty.\n- **Data Protection Officers:** Companies that process personal information and have more than 250 employees must employ specific Data Protection Officers (DPOs). Existing employees may be able to take this role, though for some companies additional staff may be required. Smaller firms are also required to have DPOs if they process data on a large scale.\n\n### Effects\nFor large businesses, GDPR may appear worrying, with the potential requirements of new staff, change in business protocols and possibilities of crippling fines. But GDPR will also bring benefits to companies. Stronger data regulation will make it harder for security to be breached, which can cause huge amounts of negative publicity (as seen with [Uber](http://www.bbc.co.uk/news/technology-42075306) and [Equifax](https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information) in recent years, among many others). Speaking more generally, the restrictions on unnecessarily collecting data changes the way firms do business, making them more transparent and thus also improving their image.\n\nAs for the fines, the ICO have stated that \"We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways. But [we've always preferred the carrot to the stick.\"](https://www.infosecurity-magazine.com/news/infosec17-gdpr-compliance-carrot/)\n\nHowever, what is a far greater cause for concern, is the effect this may have on small businesses. It is important to stress that GDPR is not just for big corporates. If you’re a small shop that has a list of customer emails for example, these regulations still affect you.\n\nFor these reasons Paybase argues that it is vital for all businesses that hold personal data, large or small, to not fear or avoid GDPR but embrace it. Following these steps, provided by the ICO, can help your business be ready for GDPR without unnecessary additional costs.\n\n### [The ICO’s 12 Steps](https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf)\n1. **Awareness.** You should make sure that decision makers and key people in your organisation are aware that GDPR is becoming law. They need to appreciate the impact this is likely to have.\n  - Paybase tip! Present the information to the Board, but also provide a training session to the whole company to make sure everyone is aware of their responsibilities.\n2. **Information you hold.** You should document what personal data you hold, where it came from and who you share it with.\n3. **Communicating your privacy information.** You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.\n  - Paybase tip! Given the extent of the changes of GDPR, it’s likely that most firms will need to alter their privacy notices. Your policy may be dependant on your suppliers, which may also be updating their policy, so revising this should be one of the first things you do!\n4. **Individual’s rights.** You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.\n5. **Subject access rejects.** You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.\n  - Paybase tip! Create a diagram for your customers explaining how their data is used and make it public. This will deter unnecessary data requests.\n6. **Lawful basis for processing personal data.** You should identify the lawful basis for your processing activity under GDPR, document it and explain it in your privacy notice update.\n7. **Consent.** You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.\n8. **Children.** You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.\n9. **Data breaches.** You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.\n10. **Data Protection by Design and Data Protection Impact Assessments.** You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the [Article 29 Working Party](http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358&tpa_id=6936), and work out how and when to implement them in your organisation.\n  - Paybase tip! Share helpful articles (such as this one!) with all employees to educate them. For more specifically relevant training, involve the inhouse/external expert.\n11. **Data Protection Officers.** You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.\n12. **International.** If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.\n  - Paybase tip! Don’t just think about where your organisation operates, but where your third party partners operate as well. Take an inventory of all personal data flows to third parties to determine if any of your data leaves the EEA. If it does, you may need need to introduce additional controls and standards, which should be established with the third party.\n\nFollowing these steps should enable you to cover GDPR and go about your business as usual, but if you are still unclear, there is a wealth of information on the topic [available online](https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en). Paybase believes that GDPR will ultimately be beneficial for both consumers and businesses, offering greater protection, transparency and security for all!\n\n[Twitter](https://twitter.com/paybase) &nbsp;[LinkedIn](https://www.linkedin.com/company/paybase/)\n","excerpt":"\nIf you were not aware, Europe is set for its biggest data protection shake-up in 20 years. From May this year, the General Data Protection Regulation (GDPR) devised two years ago will be enforced. It replaces the EU-wide 1995 Data Protection Directi...","cover":{"src":"https://paybase.imgix.net/blog/gdpr-hero.jpg","alt":"GDPR, Compliance, FinTech"},"link":{"to":"/blog/gdpr-what-you-need-to-know","copy":"Read more"},"tags":["GDPR","Compliance","Regulation"],"related":[{"id":"3cce0d30-696b-562a-aede-85355b374c2b","title":"Innovation in Customer Due Diligence – What stands in the way?","slug":"innovation-in-customer-due-dilligence","published":"2017-09-13T00:00:00.000Z","author":"Danielle Herndon","content":"\nIn the competitive landscape of financial services, are the banks’ methods of Customer Due Diligence (CDD) outdated?\n\n> “A positive and efficient client onboarding experience is a differentiator for those financial institutions able to deliver it to their clients”\n>\n> - Steve Pulley, global managing director – Risk Managed Services at Thomson Reuters\n\n<!-- -->\n> “We don’t see disruptors as a threat. We see opportunities to collaborate and work to create new product innovations and better experience for clients.”\n>\n> - Chad Ballard, Director of Mobility and New Digital Business Technologies, at BBVA Compass (the US arm of Banco Bilbao Vizcaya Argentaria)\n\n<!-- -->\n> “In some instances, your fastest pathway to delivering client value could be via FinTech”\n>\n> - Kobus Van De Venter, Executive Head: Group Technology Strategy, Execution Office and Insight at Nedbank in South Africa\n\nBanks have traditionally operated through ‘in person’ relationships to perform their CDD responsibilities. Typically, to open a bank account you would walk in, provide two forms of ID, the branch staff would make copies, perform an initial assessment and then your details would be passed to the CDD team for further review.\n\nOnly after all of this, and after a few days, will your account be opened. If you are a small business or charity trying to open an account the requirements are even more extensive and could take months - assuming your business model is even within the bank’s risk appetite.<sup>[1](https://www.thomsonreuters.com/en/press-releases/2016/may/thomson-reuters-2016-know-your-customer-surveys.html)</sup> While having this ‘in person’ relationship with your customers is valuable, it is rife with potential errors and downfalls in performing effective and accurate CDD.  \n\nWhat can FinTech offer to innovate this traditional but outdated process?\n\nThe traditional approach to performing CDD is incompatible with today’s technology aware customers that want easy and instant access to payments and banking services. Regulated financial firms need to determine the fastest, most compliant and risk appropriate way to onboard potential customers in a world of ever changing and ever increasing regulatory obligations.\n\nThe biggest challenge for banks is making the transition to incorporate digital solutions into their CDD processes, due to the constraints of legacy technology, their size and diverse regulatory obligations.<sup>[2](http://www.acamstoday.org/how-FinTech-is-changing-the-compliance-landscape/)</sup> Digitisation, agility and access to cutting edge tech is where FinTech thrives. New emerging FinTech firms are perfectly positioned to meet these evolving challenges as they, unlike banks, derive their competitive advantage through technology.\n\n> “More than 90% of bankers project that FinTech will have a significant impact on the future landscape of banking.”<sup>[3](https://www.eiuperspectives.economist.com/sites/default/files/EIU-The%20disruption%20of%20banking_PDF_1.pdf)</sup>\n\nThat is not to say FinTech provides the complete off the shelf solution today but it does indicate that banks and FinTech firms will have to collaborate in the coming years in order to thrive in the ever demanding customer centric world. Ultimately, both Banks and FinTech’s are striving to meet their regulatory obligations while providing the best service to their customers. The firms that will succeed are those that “collaborate and work to create new product innovations and better experience for clients” - Chad Ballard, Director of Mobility and New Digital Business Technologies, at BBVA Compass.\n\nThe Financial Conduct Authority (FCA) which regulates UK financial firms, recognises the benefit that FinTech firms can provide consumers. Utilising technology not only speeds up CDD but also can allow firms to adapt more quickly to meet new regulatory requirements. Leveraging technology to verify an individual either through biometrics, instant ID capture and validation, or electronic CDD as opposed to reviewing documents with the naked eye significantly improves the accuracy of CDD as well as the speed and audit trail of the customer onboarding journey.\n\nFinTechs not only meet initial CDD obligations, they are perfectly equipped to improve and innovate the ongoing CDD requirements of firms through leveraging numerous data points and employing innovative analytical approaches that banks can not input as easily and efficiently.\n\nThis dynamic and holistic view of customers is where the true power lies. Data is king and this collection of well structured data provides firms with a better understanding their customers. This can be achieved through, but is not limited to, the use of facial recognition techniques, interactive user interfaces, innovative document scanning and analysis, Internet Protocol (IP) geolocation, predictive analytics and machine learning<sup>[4](https://www.fintrail.co.uk/news/2017/5/2/best-practice-in-customer-due-diligence-cdd-among-FinTech-ffe-white-paper)</sup> to produce a comprehensive customer profile.\n\nWith banks closing branches to address customer needs for digitisation, the spotlight is now fully on the digital opportunities in CDD.\n\nIt is clear that new and emerging technologies have genuine potential to have a transformative impact. Removing the element of human error and increasing the quality of CDD using technology should only be viewed as a strength.\n\nThe hesitation by regulators and other firms to accept certain technology in the CDD process is often because of the perceived lack of governance and control. What needs to be acknowledged is that with the rigorous testing employed by many FinTechs, the ultimate aim of CDD in mitigating financial crime risk is infinitely more effective than when relying purely on the human element.\n\nThat is not to say using analysts or branch staff to perform CDD is ineffective, but there are increased opportunities for exploitation when humans are solely relied upon to check the quality of a document they hold against the person in front of them.\n\nTechnology can offer incomparable opportunity to innovate Customer Due Diligence, reducing crime risk, streamlining processes and reducing overheads. It's now up to the banks to consider this seriously.\n\nAt Paybase we provide access to compliant, tech-focused solutions for firms requiring eMoney and Payment services. Having been utilising electronic CDD for a number of years on our Payfriendz app we are extremely aware of the benefits that technology can provide to our customers.\n\nIf you’re an established firm or building something new that requires a payments, compliance and risk solution, we want to talk to you! Please get in touch with any questions or suggestions, or follow us:\n\n[Twitter](https://twitter.com/paybase) &nbsp;[LinkedIn](https://www.linkedin.com/company/paybase/) \n","excerpt":"\nIn the competitive landscape of financial services, are the banks’ methods of Customer Due Diligence (CDD) outdated?\n\n> “A positive and efficient client onboarding experience is a differentiator for those financial institutions able to deliver it to...","cover":{"src":"https://paybase.imgix.net/blog/due-diligence-innovation-hero.jpg","alt":"need one"},"link":{"to":"/blog/innovation-in-customer-due-dilligence","copy":"Read more"},"tags":["Compliance","Customer Due Diligence","Regulation"]},{"id":"dbcc7d63-b352-53db-bcbe-4eddcd40ece7","title":"What’s the deal with IR35?","slug":"whats-the-deal-with-ir35","published":"2019-11-12T00:00:00.000Z","author":"Gemma Doswell","content":"\n# What’s the deal with IR35?\n\nIn what feels like an ever-changing regulatory landscape, [IR35](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/818816/OPR_Factsheet_.pdf) is yet another addition to the evolving contract/freelance/off-payroll space. But, as we firmly advocate at Paybase, regulation should not be looked at as a deterrent. It’s put in place to protect consumers, workers and to help you as businesses to strengthen and future-proof your offering as well as creating a fair, level playing field for those in the market.\n\n\nIR35 affects off-payroll workers and their employers in medium and large organisations - those who are contractors as opposed to employees and thus do not pay PAYE. It is “[a set of tax laws which form part of the Finance Act](https://www.contractorcalculator.co.uk/what_is_ir35.aspx)” and it is designed to cut down on tax payment discrepancies that have been historically common in off-payroll work.\n\n\nAs many of our clients operate businesses that work with freelancers, contractors, locums, gig workers and more, it’s important to understand the implications and, if necessary, make as much time as possible to prepare. Crucially, it’s important that your business model is clearly defined.\n\n## What’s the problem?\nDeemed employment is where employers use contractors to work exclusively for their company on a self-employed basis rather than hiring them on an employment contract. It affects [disguised employees](http://www.business-information-uk.com/disguised-employment/) as opposed to those who are genuinely self-employed. Disguised employees often work for an intermediary - “[a Personal Service Company, Recruitment Agencies, and all Large and Medium-sized end clients](https://www.crunch.co.uk/ir35/)” - through which they are paid as opposed to invoicing a company directly. They fill a permanent position in a company but don’t pay the corresponding income tax and National Insurance contributions (NIC) that a permanent worker would. \n\n![disguised-employee](https://paybase.imgix.net/blog/disguised-employee.png)\n\nIR35 legislation has been in place since 2000 but was heavily criticised for being poorly implemented. In 2017, new, stricter off-payroll rules were introduced in the public sector and they will be pushed into the private sector on 6th April 2020.\n\n## What will change?\nFrom April 2020, employers of medium and large companies will be liable to declare their contractors and their rates and they will be [penalised](https://www.gov.uk/guidance/ir35-enquiry-by-hm-revenue-and-customs#penalties-and-sanctions) by HMRC if they don’t. For many disguised employees, this could cause an up to 20% pay cut once employers have deducted income tax and NIC from their regular pay. \n\nIn order to define who falls inside IR35, a worker’s status will be tested based on three main principles, among others - control, substitution and mutuality of obligation.\n\n\n![employment-status](https://paybase.imgix.net/blog/employment-status.png)\n\n\n## What does it all mean?!\nOne possible implication of IR35 will be the saturation of the permanent job market before April 2020. For the many who are misusing the infrastructure of off-payroll work (whether inadvertently or deliberately), there may be a rush from employers to fall in line and a rush from employees to find contracted permanent work. Those who work for [small companies](https://www.itcontracting.com/ir35-small-company-exemption/) - those with 50 employees or less - are not included in the new rules, but that’s not to say that they won’t be extended. \n\nHowever, for those who work with freelancers, contractors and those who are genuinely self-employed, IR35 is not a reason to panic. The regulations are designed specifically to target disguised employment in off-payroll work. The main thing to remember is that preparation is key. Make sure that everything is in order so that if HMRC come knocking, you won’t be met with surprises. \n\nFor more information on IR35, click here to read the [HM Treasury fact sheet](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/818816/OPR_Factsheet_.pdf) and [guidance on gov.uk](https://www.gov.uk/guidance/understanding-off-payroll-working-ir35).\n","excerpt":"\nWhat’s the deal with IR35?\n\nIn what feels like an ever-changing regulatory landscape, IR35 is yet another addition to the evolving contract/freelance/off-payroll space. But, as we firmly advocate at Paybase, regulation should not be looked at as a d...","cover":{"src":"https://paybase.imgix.net/blog/head-in-hands.jpg","alt":"need one"},"link":{"to":"/blog/whats-the-deal-with-ir35","copy":"Read more"},"tags":["IR35","Tax","Regulation"]},{"id":"0878e3d1-a20e-5a0c-8ccc-cca1928f3065","title":"Are You Using Escrow Compliantly?","slug":"use-escrow-compliantly","published":"2019-09-25T00:00:00.000Z","author":"Gemma Doswell","content":"\nEscrow is one of the most popular payment features to appear in the platform economy. It is becoming increasingly well-utilised as awareness of the instrument grows. \n\nEscrow accounts are a great tool to safeguard transactions and payments technology (PayTech) providers who can’t facilitate it could quickly fall behind their competition as modern consumer expectations rise. But what exactly is escrow and how can it be used compliantly?\n\nIn this blog, we’ll tell you just that.\n \n## What is escrow?\nEscrow is the act of holding funds in a third-party account when a payment is made. Once both transacting parties are happy, the transaction can be authorised and the funds released. \n\nHere’s an example of how escrow could be used on a car purchase:\n \n![](https://paybase.imgix.net/blog/escrow-compliance-explain.gif)\n\n## Why the big fuss?\nConsumer payments demands are growing by the day - transactions must be fast, secure and, where possible, seamless too. One of the ways that platform businesses can meet these demands is through escrow. The instrument can be leveraged to give consumers access to a high level of transactional security without negatively impacting UX. As a result, escrow allows users to transact quickly, securely and with ease, as well as being able to enhance the platform business’s end product e.g. by guaranteeing payment for sellers and the quality of product for buyers. \n\nOwing to the nature of many platform business models - routing payments between multiple buyers and multiple sellers and thus transacting between strangers - escrow is the perfect instrument to safeguard the space. It eliminates the need for platform users to trust each other by instilling trust in the platform itself instead and, in doing so, escrow gives businesses the potential to grow to become the global brands of the future. \n\nBut integrating escrow compliantly is not as simple as you might think. \n\n## Let’s talk compliance\nThere are three parts of an escrow transaction that relate to compliance:\n1. The movement of funds from an escrow account\n2. The holding of funds in an escrow account\n3. Decision making or dispute resolution \n\nEscrow requires funds to be moved from a user account and held in a safeguarded escrow account while the terms of a transaction are completed. It is an FCA requirement that funds in the escrow account are inaccessible to both the buyer and the seller (similar to the Tenancy Deposit Scheme). Only the third-party - in our case, Paybase - has access to the escrow account. Once the terms of the transaction are complete e.g. a gig worker has completed a job, the funds in escrow can be released to credit the end-user. \n\nWhen it comes to dispute resolution, the third-party (Paybase) is permitted to reroute funds from escrow for buyers and sellers. For instance, if an item is received >1 week late, the dispute may be resolved because the buyer and seller agree to send 75% of the funds to the seller and return the remaining 25% to the buyer. This instruction would be received by the third party to execute. In order to do this, the third party would access the escrow account, reroute the held funds and distribute them between the buyer and seller. \n\n![](https://paybase.imgix.net/blog/escrow-compliance-buyer-seller.gif)\n\nIf a transaction occurs without dispute, the escrow process can be automated with an API. However, if the buyer or seller dispute any part of the transaction (e.g. if an item arrives broken or late), the funds in escrow need to be disputed out and split by the third party. \nDeciding how funds should be split to resolve a dispute is the responsibility of the third party - it is at their discretion to implement a dispute resolution process with terms and conditions, or to make a judgement on a case-by-case basis. \n\n##  How Paybase works\nWe pride ourselves on having an escrow solution that can be moulded to enhance myriad use cases. With a white label product, we are able to partner with both platform businesses and third-party escrow providers to support not just SMEs but bigger brands interested in offering escrow services as well. The level of flexibility that our clients have access to enables them to maximise innovation when integrating escrow into their payments framework and, ultimately, it improves how transactions are safeguarded industry-wide. \n\n## Who do we work with?\n\n![](https://paybase.imgix.net/blog/escrow-compliance-paybase.png)\n\nInterested in using escrow to enhance your business? Or are you an escrow provider that’s looking for a more streamlined solution? [Contact us](https://paybase.io/#get-in-touch) today to see how we could help.\n\nOr, if you’d like to get to know us a little better, sign up to our mailing list! Scroll to the bottom of the page to sign up now.\n\n[Twitter](https://twitter.com/paybase) &nbsp;[LinkedIn](https://www.linkedin.com/company/paybase/)\n","excerpt":"\nEscrow is one of the most popular payment features to appear in the platform economy. It is becoming increasingly well-utilised as awareness of the instrument grows.\n\nEscrow accounts are a great tool to safeguard transactions and payments technology...","cover":{"src":"https://paybase.imgix.net/blog/escrow-compliance-banner.jpg","alt":"need one"},"link":{"to":"/blog/use-escrow-compliantly","copy":"Read more"},"tags":["Escrow","Compliance","Payments"]}]}}}