Today, May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. Aimed at strengthening the security and protection of personal data, GDPR will have a far-reaching impact on companies around the world.
With the compliance date here, below are answers to your most frequently asked GDPR questions.
1. What is the General Data Protection Regulation (GDPR)?
The GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the EU. Taking effect on May 25, 2018, it establishes a framework of rules to protect the personal data for European Union (EU) data subjects. It also addresses export of personal data outside the EU.
The GDPR applies to any organization, located inside or outside the EU, if they offer goods or services to, or monitor the behavior of, EU data subjects. It also applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
2. Does Swift Prepaid Solutions have a GDPR compliance program?
Yes. Swift has undertaken an enterprise-wide initiative to review and update our processes and procedures to be fully compliant with GDPR.
Together with our issuing partners and the security, privacy and risk auditing services of a third-party firm, Swift is implementing policies and procedures in the following areas:
- GDPR inquiry handling, including cardholder requests for data anonymization
- GDPR complaint handling
- Breach reporting procedures
- Privacy Impact Assessments for new services, products and hosting environments
Swift’s GDPR compliance program also includes employee training on all new policies and procedures.
Additionally, Swift holds PCI-Level 1 certification and is audited for the highest level of data security and handling practices as outlined by the Payment Card Industry. While PCI and GDPR are different, many of the data practices Swift follows for PCI are required under GDPR as well.
3. Can Swift determine if a client needs a GDPR-compliant Data Processing Agreement/Addendum (DPA)?
Each client is responsible for their compliance program and must determine whether the GDPR applies to their business. If you qualify as a “data controller” under the GDPR, the GDPR requires you to include specific provisions in your contract(s) with applicable data processors like Swift.
Swift suggests that if a client believes that GDPR may apply to them, a Data Processing Agreement/Addendum (DPA) be executed. A DPA between you and Swift would contractually require Swift to comply with relevant portions of the GDPR. The DPA also reaffirms your general consent for Swift to subcontract. The DPA is not intended to improve or modify either party’s position regarding subcontracting under the agreement. The DPA is designed to cover all the products and services Swift provides to you.
4. My company needs a GDPR-compliant DPA with Swift. How do I request an executable copy of the DPA?
If you haven’t entered a DPA with Swift, and you’ve determined that the GDPR is applicable to your business, request an executable copy of the DPA by sending an email to GDPR@swiftprepaid.com. In your request, include the following information:
- Legal name of your organization
- Email address of the person to whom the DPA should be sent; this can be the anticipated signer of the DPA or another person within your organization.
Have more GDPR Questions? Reach out to your Swift Contact.
Disclaimer: Neither Swift Prepaid Solutions nor any affiliate is a provider of legal advice or services, and this FAQ should not be construed as legal advice or counsel. Should you require legal services regarding GDPR compliance or on any other matter, Swift encourages you to engage your own legal counsel.