By Ryan Boyes – The payment industry is heavily regulated and becomes increasingly complex when it comes to handling transactions across geographical borders, considering the growing body of legislation around not only securing payments, but data privacy as well.
The General Data Protection Regulation (GDPR) set the current benchmark for data privacy, so aiming for this as a goal can be effective, however there are also numerous standards internationally, including the Protection of Personal Information Act (PoPIA) in South Africa, as well as other guidance and frameworks from other countries.
Always aim higher
When making a cross border payment, it is essential to contact the relevant regulators to ensure that requirements in the origin and destination country are understood and aligned. If one supersedes the other, it is important to always comply with the more stringent requirement. The onus is on businesses to ensure compliance from their own perspective as well as that of any other third-party suppliers.
Compliance with GDPR will, in many cases, cover the bases required for cross-border payments for most countries.
However, customers and clients are within their rights to request proof of compliance, which would typically involve a third-party assessment and audit each time. For organisations dealing with large volumes of transactions, like a multinational online retailer or cloud services provider, certification on standards like ISO 270001 and ISO 277001 gives customers peace of mind that their information is handled securely.
For smaller organisations, working toward the requirements for these standards, without the certification exercise, can stand them in good stead.
Where do you start?
Data breaches carry more risk today than simply compliance challenges. There is a real danger of reputational damage and loss of customer confidence, which can cause untold long-term damage. Organisations need to take this seriously, beginning by understanding their data, how it flows through the organisation and out of it, and how it is managed.
Financial information has multiple gateways that need to be secured throughout the journey. All documentation needs to be classified according to its nature and department so that the correct legislative requirements can be applied. There also needs to be a process in place from capture through destruction that is compliant, and where relevant parties are both responsible and accountable for information.
A risk register is a good place to start, identifying all the risks a business faces and what needs to be complied with. From there, an incident response policy can be developed to document what steps must be taken to protect data and what must be done in the event of a breach.
While aligning with international certification standards can ensure that organisations comply with PoPIA and other legislation, the landscape can be complex, with technological, administrative, and functional elements to consider as well. The right partner can help organisations from beginning to end, identifying the gaps, closing them, maintaining them, and preparing for certification if needed.
Ryan Boyes is the governance, risk and compliance officer at Galix