With GDPR, compliance creates opportunity for U.S. vendors

As Nvoicepay expands, the payment automation company is keeping an eye on how it may fall under European data rules that have a knack for requiring compliance even from companies that should be exempt.

The Beaverton, Ore.-based company just deepened its relationship with Mastercard, which will support Nvoicepay's technology for enterprise clients as Nvoicepay supports Mastercard's InControl for commercial payments. That follows a collaboration with Viewpoint for construction payments and expanded its cloud-supported payments and merchant functions to reach more types of businesses.

But as an American company, does working with global enterprises heighten Nvoicepay's exposure to GDPR compliance as potential risk or even a business opportunity?

GDPR replaces a 23-year-old data protection law in Europe and is designed for the "data breach" era, wherein data hacks have hit major retailers, government agencies and credit bureaus with alarming regularity. Under GDPR, consumers and other parties have more control over how their data is used, and merchants, banks and payment companies are pressured to be more accountable in data storage, sharing and protection, which likely means large IT outlays.

"The law is going to reach people that don't think they have ties to Europe," said Karla Friede, Nvoicepay's CEO and founder. "Upstream, we may have customers that have to be compliant and we handle their payments."

Like its cousin PSD2, GDPR is a European rule that doesn’t directly cover American companies. But because part of the challenge of data management involves partners and third parties, the new rule is still casting a shadow over U.S. processors.

As of this point, clients in the data or privacy related businesses are inquiring about GDPR compliance, and Nvoicepay has made itself GDPR compliant in terms of how it handles and protects data, Friede said.

Enterprise customers have larger security and compliance teams, so serving these customers involves a thorough review of Nvoicepay's security and compliance processes and documentation, Friede said. "The expansion in our compliance processes has also been driven by new security requirements and the expansion of our audit process to include these audit reviews for these new standards."

GDPR compliance is not typically a part of the messaging to clients, but may be a value proposition as the law's impact spreads.

There may be more of an opportunity than a risk for a cloud-based data management companies that can sell GDPR compliance to clients such as merchant acquirers that want to power international payments and loyalty programs while staying in line with data protection rules.

Writing for PaymentsSource, Mia Papanicolaou, COO of Striata, argues the type of information protected under GDPR is broad and encompassing, including identity, contact, banking, medical, employment and education. The definition of processing is equally wide, including collecting, storing, using and sharing.

That means opt-ins are required for marketing communication that may have any tie to Europe, and such communications must adhere to the law's strict breach notification rules, Papanicolaou argues.

"There really is no border anymore," said Sheryl Kingstone, research vice president and general management at 451 Research.

The law is causing concern throughout the world because data control is very hard, Kingstone said.

"You don't know where all of your data is," Kingstone said. Companies with functioning CRM systems that can manage that requirement are rare, she added. "Most times data is scattered."

451 Research has found consumers are warming to sharing data on their own terms, but it will take time for consumers to understand their role taking control of their data.

That will force an evolution of a company's entire technology stack to enable real-time, contextually relevant experiences. Businesses must govern information to account for the growth of unstructured data, mapping personally identifiable information in structured and unstructured data, according to Kingstone.

"You can have all of the technology in place, but it only goes so far," Kingstone said. "You need the strategy and culture and ability to understand where all of that data can potential reside and have the process to move forward to make sure you don't get caught in this pickle in the future."