The future is full of unknowns, but it’s certain that major changes are coming to businesses in 2019. Many of them thanks to the General Data Protection Regulation (GDPR) implemented in Europe in the spring of 2018. The European mandate was more than just a wake-up call for U.S. businesses – it was a clear sign that precise and secure management of customer data is absolutely essential for organizations, regardless of size or geographic location.
Writing for BizTech Magazine earlier this year, Cybersecurity expert Karen Scarfone suggested businesses take a common-sense approach to prioritizing their response to GDPR requirements to determine how it applies to their business – keeping in mind that even “data that’s not considered personally identifiable information in the context of U.S. law may be relevant to GDPR.” At a minimum, Scarfone recommends addressing the company’s privacy policies and those related to personal data collection – read more about gdpr compliance.
How you manage PII and ensure security around payments should be your focus in 2019.
The GDPR and what U.S. Businesses Need to Know
To be clear, the GDPR does not explicitly mandate that U.S. businesses do anything different when handling data – specifically, personally identifying information (PII) for customers and prospects in the U.S.
However, many consumer groups, business organizations and others have called for Congress to consider measures to protect U.S. consumers. And ramifications of GDPR have already been felt in the U.S.
For example, the GDPR-inspired California Consumer Protection Act (CCPA) of 2018 will be enforceable in 2020. Importantly, the CCPA does not force companies to stop collecting information and does not provide provisions for consumers to request companies stop collecting their information, both critical to membership management organizations. The CCPA comes with a broad definition of PII. PII, which among other things includes IP addresses, geo-location and browsing information, increases scrutiny on how businesses handle security and data management.
In other words, even though the GDPR was implemented in Europe, it will have a significant impact your business. If you’re unsure about GDPR regulations and how to make your business compliant, check out this GDPR implementation guide. You may need to review not only your process of data management, but also that of your vendors – paying special attention to your payment processing systems to ensure that they are compliant and secure. Below, a roundup of some of the best advice for businesses preparing for GDPR-influenced changes in the U.S.
Tips for Sports and Fitness Businesses in a Post-GDPR World
1. Follow the Data
Where does your membership data come from, and what you do with it? You must be able to identify how you obtain data, where the data resides, for how long, and who can access it. Keep in mind that the GDPR’s “right to be forgotten” clause appeals to many consumers. How long do you keep data on former members? Now is the time to revisit your policies.
2. Position your Company as Privacy-Forward
As Seth Berman pointed out in an analysis in Government Technology, “The EU has elevated data privacy into the realm of individual rights.” Each data breach heightens public awareness, reminding consumers that businesses have more data than most of us realize, and when not properly managed, that data is at risk. It’s likely that in 2019, letting your customers know you’re serious about their privacy will be a brand-enhancing strategy. The last thing you want is to not report a data breach and be discovered via a California Whistleblower Law lawyer, or other legal representative, as that could seriously damage your credibility and carry legal consequences.
To comply with the spirit of GDPR, membership management companies are encouraged to implement voluntary measures to manage PII. Consider guidelines that ensure PII is encrypted and that payment systems are resistant to attack, as well as human and system failures.
3. Implement Smart Security Measures
Carefully implemented security measures designed to guard against data breaches are critical, as are protocols to quickly notify customers, partners and the authorities in the event a breach does occur. Have documented, regularly tested procedures regarding how to handle a breach. Security of payment processing is paramount for fitness clubs and other membership companies.
NACHA, the Electronic Payments Association, notes that Automated Clearing House (ACH) payments are among the safest and most common methods of payment. At the May 2018 The Future of Money Conference held in London, central points discussed included open banking, new payment architectures, and cyber risk and payment scams. Regulations are still developing around cryptocurrency and distributed ledger technology ( DLT), but it’s clear that businesses will need a payment processing system that can handle DLT. UP Payments use Universal Payment Identification Codes (UPIC) which function as bank account identifiers to allow for real-time, secure payments from anywhere.
4. Choose Your Partners Carefully
Under GDPR, your company is liable for the breaches of third party processors. Scrutinize your vendors and work only with those who are as serious about security as you are. This is especially important when it comes to payment management. From ACH and Apple Pay to Google Pay and UP payments, there are more options and issues for merchants offering POS and online transactions – and at the same time, more pressure than ever to may paying as easy and convenient for customers as possible. If you’re unsure about your company’s GDPR compliancy, it might be helpful for you to have a GDPR audit. It’s better to be safe than sorry!
5. Invest in Compliance Tools
From marketing to record-keeping to payment processing, compliance tools abound for businesses and organizations. Ensure that your membership management tools enable compliance.
Security, Privacy, and Fitness Software
Ensuring the security of your website and membership portals is the crucial first step to being able to manage your data. All Upper Hand sports website plans include reliable hosting and security. Having the most streamlined and automated payments options as well as granular control of memberships and customer information has contributed to Upper Hand earning Trustpilot’s 5-star rating.
Universal Payments, or UP Payments, are also part of Upper Hand. This means users can accept payment from anywhere – including mobile checkout for members who need to pay on the go – and from almost any form of payment (multiple currencies are supported). Fraud management, encryption and compliance, and chargeback management are also included. As a partner with Paysafe, the global leader in UP, Upper Hand clients can rely on those safe payments, and so can their customers.
As your members become aware of how GDPR is increasing requirements for consumer privacy, now is the time to review how your facility and fitness software handles PII, payment processing and other data.