EDITOR ’ S QUESTION
The payment industry is heavily regulated and becomes increasingly complex when it comes to handling transactions across geographical borders , considering the growing body of legislation around not only securing payments but data privacy as well . The General Data Protection Regulation ( GDPR ) set the current benchmark for data privacy , so aiming for this as a goal can be effective , however , there are also numerous standards internationally , including the Protection of Personal Information Act ( PoPIA ) in South Africa , as well as other guidance and frameworks from other countries .
Always aim higher
When making a cross-border payment , it is essential to contact the relevant regulators to ensure that requirements in the origin and destination country are understood and aligned . If one supersedes the other , it is important to always comply with the more stringent requirement . The onus is on businesses to ensure compliance from their own perspective as well as that of any other third-party suppliers . Compliance with GDPR will , in many cases , cover the bases required for cross-border payments for most countries . However , customers and clients are within their rights to request proof of compliance , which would typically involve a third-party assessment and audit each time . For organisations dealing with large volumes of transactions , like a multinational online retailer or cloud services provider , certification on standards like ISO 270001 and ISO 277001 gives customers peace of mind that their information is handled securely . For smaller organisations , working toward the requirements for these standards – without the certification exercise – can stand them in good stead .
Where do you start ?
Data breaches carry more risk today than simply compliance challenges . There is a real danger of reputational damage and loss of customer confidence , which can cause untold long-term damage . Organisations need to take this seriously , beginning by understanding their data , how it flows through the organisation and out of it , and how it is managed .
Financial information has multiple gateways that need to be secured throughout the journey . All documentation needs to be classified according to its nature and department so that the correct legislative requirements can be applied . There also needs to be a process in place from capture through the destruction that is compliant and where relevant parties are both responsible and accountable for the information .
Compliance with GDPR will , in many cases , cover the bases required for crossborder payments for most countries .
A risk register is a good place to start , identifying all the risks a business faces and what needs to be complied with . From there , an incident response policy can be developed to document what steps must be taken to protect data and what must be done in the event of a breach .
While aligning with international certification standards can ensure that organisations comply with PoPIA and other legislation , the landscape can be complex , with technological , administrative and functional elements to consider as well . The right partner can help organisations from beginning to end , identifying the gaps , closing them , maintaining them and preparing for certification if needed . �
RYAN BOYES , GOVERNANCE , RISK AND COMPLIANCE OFFICER AT GALIX www . intelligentfin . tech
27