Modo is your GDPR Compliant Payments Partner: How non-compliant partners put your compliance at risk

Posted by Modo on Sep 17, 2019 7:38:36 PM

With the General Data Protection Regulation (GDPR) in full effect, it’s vital that companies find partners around the globe that are focused on being GDPR compliant. As hard as you work to maintain your compliance, if your partners don’t have their GDPR ducks in a row, they may be jeopardizing your compliance. And the penalties for non-compliance are steep - we’re talking up to 4% of your entire global turnover of the preceding fiscal year kind of steep. The Information Commissioner’s Office (ICO) is really, really enforcing them as seen by the fines imposed on British Airways and Marriott International. And, although substantial, those penalties are nowhere near the amounts they could be. 

So, you’ve gone through all the work to ensure your company policies and procedures comply with GDPR. But, have you gone through the work to ensure your partners aren’t hindering your ability to remain compliant? 

GDPR’s Article 28 states: “[data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.

Modo read Article 28 and we know that as a payments partner we receive tons of super sensitive customer data every single day that needs to be protected and secured. Which is why GDPR compliance is top of mind for us, and our technology allows us to take a customer focused approach to dealing with the regulation. 

Maintaining GDPR Compliance 

There are five major components to maintaining GDPR from a product perspective:

  1. Requesting consent from customers
  2. Data stewardship
  3. Data residency
  4. Prompt disclosure of breach
  5. Honoring the right to be forgotten 


Let’s break each of these down one by one to explain what each of the components required and how Modo ensures we remain a GDPR compliant partner. 

Requesting consent from customers

Companies are required to get consent from customers to collect their data. An easy way to do this is to input a cookie tracker on websites that requires your customers to give their consent in order to use your site. You are also required to disclose what data you are tracking and what tools will be using that data. Well, guess what? Your payments partner is one of those tools that will be using your customer data. And LOTS of it. In order to make disclosures for customers seamless, Modo discloses to our clients what data we are using and where so it can be presented in their own privacy policies. 

Data Stewardship

Once you get data from customers, you need to protect their data. And when you’re working with partners, you need to ensure they are also protecting the data just as you would be. Modo’s technology is bank-grade and has been audited by some of the largest banks in the world. When we say we are secure, we mean we are S.E.C.U.R.E. And we have the HSMs to prove it. All data we store is both tokenized in encrypted in our token vault. Your customers’ data is safe with us. 

Data Residency 

Companies have to be able to prove where their data is being housed and who owns that data. Modo’s technology is cloud-native and cloud-agnostic. We use Kubernetes to deploy our product to any of the cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. If, for instance, a client needs their data to reside in the United Arab Emirates, and Azure is the only cloud platform that operates in that area, they may believe they have to build their own Azure platform in order to be compliant, but Modo can easily ensure their data is being housed safely in the UAE on the Azure platform due to our the agnostic nature of our cloud platform.

Prompt Disclosure of Breaching

If a customer data breach occurs, the ICO has to be notified within 72 hours of the breach. There are also requirements around how customer data is handled, what to do when a breach occurs, why customer information is needed, and more. This often necessitates the hiring of a Data Privacy Officer or someone in charge of data security. At Modo, we have a Chief Information Security Officer whose job it is to define how we protect data, the internal systems we use, what controls we have, how we store our keys, etc. Read the “Data Stewardship” section above to remind you how serious (and seriously obsessed) we are about security. 

Honoring the Right to Be Forgotten

You have to give your customers the right to be forgotten from your system. In many cases, you may be able to remove their data from your system, but your partners aren’t able to remove the customer data from theirs. That situation is not good. We repeat - not good. When your customer asks for their data to be removed from your system, Modo is able to remove their data from our bank-grade secure token vault as well. 

Payments data has to be dealt with differently than other forms of customer data. There are requirements to maintain payment records for one to five years depending on the regulation. Because of the special requirements around storing payments data, this may mean keeping the bare minimum required by law for record keeping purposes and no more. And you can easily turn on/off the ability for your customer to be forgotten in Modo’s tenant portal. 

Find a GDPR Compliant Payments Partner 

Your customers’ data needs to be honored and protected by both you and the companies with whom you choose to work. Ensure you are working with a GDPR compliant partner in order to keep your company out of the doghouse with ICO and keep the trust you have with your customers. 

Reach out to Modo if you’re interested in streamlining your payment operations with a GDPR compliant partner!

Topics: GDPR