Last week we had the privilege of networking for an evening with the MRC team, and 50 other merchants and service providers. For some timely content, we featured a discussion around the implications of General Data Protection Requirement (GDPR).

As a fraud and payment community, we’re all impacted by the new law, so we held a 60-minute forum named: “GDPR: the Good, the Bad and the Data.”

The goal was to capture insights around this compliance paradigm shift of what is being called Europe’s biggest change to consumer privacy laws.

Like most other shifts in history, this one feels heavy. But it also feels right, as we are all consumers at heart and can relate with the violating feeling of a cluttered inbox, annoying irrelevant ads, and the frustrating curiosity of just how much information companies have on us.

Questions circled the room around how GDPR adoption will impact the fraud management ecosystem and the customer journey.

The panel and audience offered some very interesting insights, led by three industry experts. As a fraud prevention service provider, I sat in the 4th seat and offered insights on what we’re broadly hearing from our customers on GDPR.

Here were some very high level insights / questions fed by the panel and audience:

GDPR readiness: Studies estimate only 40% of EU companies claim they will be GDPR-ready by May 25th next year, suggesting there are no easy boxes to check-off to meet all the requirements.

Extraterritorial Aspect: Under GDPR, data regulations will expand to include service providers doing business within EU member states regardless of these enterprises’ national origin. This fact will create more scrutiny placed on organizations who share data outside the EEA. Fortunately, cross-border data transfer mechanisms are already in place, such as Privacy Shield, and provide a legitimate basis for safeguarding these data transfers. Emailage has already adopted many of the GDPR requirements, and is also certified by Privacy Shield. We expect to see more companies adopting these standards for data transmission to solidify their process for sharing data that leaves the EEA for fraud prevention purposes.

Friction created from the Right to Consent: Some companies have already started implementing the request for consent in certain use-cases. These along with additional T&C’s are creating many discussions around what is the most appropriate language to obtain this much more explicit consent than what is under the old rule.

Data Portability: This one is getting a lot of debate – which will allow individuals to obtain and reuse their personal data for their own purposes across different services. Will this make data more vulnerable for theft? Let’s hope not, but at a minimum, portability is something the group sees as an unknown around how many consumers will actually take advantage of these new rights.

If you’re in the fraud and payments space, I encourage you to attend the Merchant Risk Council’s events, for the content, the amazing thought leadership, and for the opportunity to network with a bunch of really good people who care deeply about driving down fraud and improving the customer journey.