Retail Technology
| Log in | Subscribe

Subscribe | Log in
Retail Technology

E-commerce billing expert Gene Hoffman discusses how new EU data protection directive will fuel success for digital retailers

E-commerce billing expert Gene Hoffman discusses how new EU data protection directive will fuel success for digital retailers


Harmonising European Union (EU) data privacy regulations across national boundaries allows digital businesses direct access to Europe’s 500 million customers – doing away with all the contradictory requirements and red tape of 27 separate nations.


Gene Hoffman, founder and chief executive of Vindicia, argues that for too long, we’ve had a situation where some businesses, like popular music streaming service Spotify, find that what’s legal in one market, may not be in a neighbouring one. “While this complexity keeps lawyers occupied, the system serves only to protect businesses with a lax approach to security,” he said.


“I will acknowledge the proposed EU requirements ask more of data managers than their US equivalents do. But it’s worth remembering that as the digital economy develops, the rules are going to change and the goal posts will move, while authorities play catch up.”


As he points out, already digital businesses must cope with taxes and currencies that vary across markets, as well as individual state and national privacy requirements. In fact, the only security standard currently harmonised across the US and Europe is Payment Card Industry Data Security Standard (PCI DSS) compliance, and most businesses still struggle to achieve this.


Benefits of EU regulation


Hoffman said a European directive requiring digital merchants to up their game should be as welcome to customers, as reducing red tape is to businesses. And he added that the numbers were startling: A recent study of 500 senior IT professionals who’d experienced a data breach at their company, indicates just some of the consumer risk:


  • Sixty percent said customer data that was lost or stolen was not encrypted.
  • The data lost included email (70%), credit card or bank payment information (45%), and social security numbers (33%).
  • Usually the cause of the breach, where it was determined, was a negligent insider (34%).
  • And only half of respondents felt their organisation made the best possible effort to protect customer and consumer information.


“This is hopeless,” Hoffman stated. “Big brands continue to let down their customers, and this just has to stop.”


Already digital merchants are outsourcing PCI and privacy requirements, mainly to cloud-based companies. “And cloud-based companies will manage the new regulations on their behalf when they come in to force. Why wouldn’t they?” he asked “If you’re a retailer, doing compliance yourself is, in the words of one commentator, ‘like a restaurant making its own forks’. It doesn’t have to be painful.”


Penalties commensurate with risk


He said the gist of the proposed EU directive seems reasonable. “Companies with 250 or more employees will have to appoint a data protection officer, unless they are outsourcing the requirement, presumably,” he continued. “In cases where consent is required, organisations will have to explicitly ask for permission to process data, rather than assume it. Although there are concerns about how this can really work in practice. Retailers would also have to confirm data loss within 24 hours of being hacked, or face fines of up to 2% of their global annual turnover under these proposed laws.”


The new rules would have to be approved by the EU's member states and ratified by the European Parliament before they came into effect, which could take a couple of years. “This gives us plenty of time of to bring new processes into place,” added Hoffman.


The payoff for business will be substantial: Viviane Reding, the European Union’s justice commissioner, calculates that by simplifying the patchwork of rules and cutting red tape, businesses can expect to save a total of 2.3 billion euros ($3 billion; £1.9 billion) a year.


Gene Hoffman is the founder and chief executive of Silicon Valley-based Vindicia, whose software-as-a-service billing products integrate data protection and marketing tools with Tier 1 PCI DSS and data privacy compliance.