GDPR is just around the corner. Are you ready?

Adhering to the GDPR is a must for all businesses in the EU. But what exactly is it and how does it impact you? Learn about the different elements of GDPR here. We also cover its impact on marketplaces and platforms.

rc risks and compliance gdpr is just around the corner are you ready

Everyone is talking about GDPR, but what is it? Who does it apply to? How will it impact on marketplaces and platforms? We wanted to shed some light on these questions.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a European regulation that will take effect on May 25, 2018, and replaces the Data Protection Directive of 1995 and the national data protection laws of the European Union (“EU”).

GDPR is designed to set a uniform standard across the EU with regard to the way organizations collect, use and share personal data of data subjects in the EU.

What information does GDPR protect?

GDPR applies a broader than usual definition of personal data, including “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Therefore, the definition may capture, in certain circumstances, IP addresses, mobile device IDs, email addresses, cookies and other online identifiers.

Who is subject to GDPR requirements?

The application of GDPR is cross border and it covers the processing by organizations established in the EU of personal data in the course of their activities (EU and non-EU data subjects). It also applies to non-EU organizations with no formal or physical presence in the EU, so long as such non-EU organizations offer goods or services to data subjects in the EU or monitor their behavior (to the extent the subject is within the EU) (e.g. internet use profiling).

The act of ‘processing’ covers a variety of actions of an organization such as collection, recording, structuring, storing, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction, etc.

Such non-EU organizations are generally required to designate a representative established in an EU member state where the data subjects whose personal data is processed or whose behavior is monitored are located. The term “established” can be interpreted in different ways, so whether an organization is considered established in the EU should be examined on a case-by-case basis.

Key elements

GDPR includes certain key elements and obligations that impacted organizations should be aware of and implement, such as:

  • Defining the specific legal ground to permit data processing
  • Identifying and documenting the process by which personal data is collected and processed
  • Appointing a Data Processing Officer
  • Defining the organization’s responsibilities as data controller and/or data processor
  • Formulating data breach responses and notification requirements
  • Outlining the rights of the data subjects to access their information and be forgotten
  • Addressing transmission of personal data outside of the EU


Organizations that fail to comply with the requirements of GDPR may face severe administrative and economic sanctions, including fines of up to EUR 20,000,000 or 4% of the organization’s total worldwide annual turnover of the preceding financial year.

How does GDPR impact you?

As a commercial business such as a marketplace or digital platform selling or otherwise offering goods or services internationally and processing personal data, you should understand how and whether GDPR applies to your organization. The personal data collected, stored or processed by your organization might be that of your sellers, customers, vendors and even random visitors to your website.

GDPR can apply to your organization regardless of its size or revenues and even regardless of whether or not you have a formal presence in the EU. If you collect, hold, process or have access to information that can be used to identify a data subject in the EU, you are probably subject to GDPR.

Firstly, you should understand the criteria for offering “goods and services” to EU data subjects. Is your website accessible in the EU? Do you use EU languages and currency? Are your campaigns directed to the EU?

Let’s take, for example, a Singapore-based organization that sells hand-made ties. The company has neither offices nor an affiliate company established in the EU, but offers its goods online. The company runs campaigns targeted at customers in the EU and even offers translated pages of its website. This organization collects personal data upon registration and creation of an account, including the registrant’s name and email address. Does GDPR apply to this organization? The answer is yes.

The new regime of GDPR confers more responsibilities on the organization; it’s now the organization’s responsibility to confirm that the data it processes is duly protected. Sometimes GDPR only provides a framework or guideline, and the organization must determine if it’s the controller or a processor of personal data and make sure that it properly stores and protects personal data.

The key questions you should be asking

You should ask yourself a few questions to make sure that you are prepared for GDPR compliance: what is the nature of the personal data you collect? Are you going to collect additional types of information? How is it collected, processed and stored? What is the nature of processing? What are the current policies that need to be updated and created? Does your privacy policy adequately describe the use of the information? Do you need to appoint a Data Processing Officer? What are the legal grounds pursuant to which you collect the information? Do you rely on consent? Can you adequately comply with the data subjects’ rights? Are your security measures sufficient? These questions, and many more, need to be addressed when considering GDPR compliance.

Individuals are becoming more and more aware of their rights and the data collectors’ responsibilities as we countdown towards May 2018.

What are we doing at Payoneer to be ready for GDPR?

At Payoneer we take pride in providing a high level of security and transparency with respect to how we collect, use and share the personal data of our customers, partners and vendors. We are diligently preparing for GDPR, updating our policies and refreshing our procedures pertaining to data subjects’ access and other rights and are taking these and other measures to be fully compliant with GDPR.

Please note that this isn’t intended to be a comprehensive and exhaustive review, but rather an outline of certain issues which we consider to be key to understanding GDPR. We recommend that you undertake your own analysis as to how GDPR applies to your organization specifically.

Latest articles

  • Made in India for the World: The State of Indian Cross-Border eCommerce

    Made in India for the World: The State of Indian Cross-Border eCommerce

    The Indian eCommerce market has grown significantly in the last few years. As a result, many cross-border businesses have undergone a fast-paced digital transformation and contributed to surpassing the government-set $400 billion target of trade within a single year.

  • Defying the odds: How Ukrainian businesses thrive during war

    Defying the odds: How Ukrainian businesses thrive during war

    One year post-war, Ukraine’s businesses adapt and thrive amidst adversity. Entrepreneurs showcase resilience, reflecting national tenacity. Many diversify, venturing into e-commerce and digital realms. Despite hurdles, 44% of SMBs aim for growth, with 36% hiring. Their grit underscores Ukraine’s enduring spirit amid challenges.

  • What Are The Best Payment Options For Freelancers?

    What Are The Best Payment Options For Freelancers?

    Freelancers offer flexibility and expertise without the overhead of traditional employees. However, processing invoices and payments for international freelancers can be a complex and time-consuming process. To work with freelancers effectively, it’s crucial to understand the available payment options for freelancers and how to best keep on top of accounting and invoicing.

  • An 8-point Checklist for Finding the Best Payment Provider

    An 8-point Checklist for Finding the Best Payment Provider

    There’s huge potential to expand into ASEAN markets. But only for online sellers that accept local payment methods. Finding a trusted payment solution can be a worry and a challenge. Use this checklist to vet potential payment partners. With the right payment support, the sky’s the limit!

  • How to bill your international clients

    How to bill your international clients

    Want to learn how to bill international clients when you’re based in the Philippines? In this article we spoke to three leading business owners who shared their tips to working successful international work. Learn how they collect payments and more below.

  • How to nail your direct-to-consumer payment strategy

    How to nail your direct-to-consumer payment strategy

    Asia-Pacific offers massive potential for DTC ecommerce. But cross-border payments can be a headache. We share an actionable strategy for DTC payments. Remove DTC payment hazards and expand your business with ease. What are you waiting for?