GDPR and data protection in the payments arena

Virtually every kind of business operating in the year 2021 will find itself caught up in a data revolution which is changing everything from how people entertain themselves to how they shop, exercise, and even control their household appliances.

The statistics on the amount of data which is constantly flowing across the digital systems of the world are almost too large to comprehend. According to figures collated by cloud-based operating system Domo, the following happened in 2020:

  • Netflix users streamed 404,444 hours of video
  • WhatsApp users shared 41,666,6667 messages
  • Instagram users posted 347,222 stories

What’s striking about these figures is that they capture digital activity which was taking place every single minute throughout the year.

According to other figures, internet users generate 2.5 Quintillion bytes of data every single day – a huge amount of data. According to The Economist magazine, data is now the most valuable resource in the world, and yet 99.5% of the data collected by companies is currently never used or analysed. The most successful businesses are those which have worked out a way.  

Utilising data

Businesses of every type have been busy working out how to take advantage of the amount of information which they can now gather on their customers, and some of the biggest in the world are those which have figured out exactly how to control and exploit the tidal wave of data which is now created by each and every interaction.

Examples of those businesses which have most successfully made use of big data analytics include:

  • Amazon – the online giant derives 35% of its sales from analysing data on customers, including not only completed sales but also items placed in the cart or even briefly looked at. This data is used to drive dynamic pricing which means the prices on the website change as much as 2.5 million times per day.
  • Netflix – the streaming service has a retention rate of 93% and one of the reasons for this is that they use the data they gather to create a personalised service. The data gathered includes how and when people watch shows, whether they binge watch or space the shows out and how often they pause the stream. One of the plans for the future is for this data to be used to tailor personalised trailers which sell each film or programme on the basis of the customers known preferences.
  • Starbucks – the personalisation offered by Starbucks goes a lot further than merely writing customers’ names on their cups. Utilising tools such as mobile apps and rewards programmes, the company gathers huge amounts of data on customers, which is then used to target recommendations as well as informing decisions such as where to open the next coffee shop. 
  • Marriott Hotels – Starwood hotels, a subsidiary of Marriott, utilises dynamic pricing in a similar way to Amazon, factoring in data on details such as the weather, the economic situation both globally and locally and customer behaviour in terms of reservations and cancellations. The company also placed Amazon echo devices in hotel rooms, updating the traditional role of reception staff and enabling the chain to gather invaluable data on guest’s requirements and preferences.    

All these examples highlight the incredible power of data when it is analysed and utilised correctly. Even smaller businesses now find themselves gathering enough data to be able to fine tune the services which they offer to their customers, and the marketing to attract and engage with more customers.

Along with the opportunities offered by data, come a range of challenges, most of which revolve around ensuring that the way the data is gathered, stored, and used complies with the law.  


In the UK, the General Data Protection Regulation (GDPR) is the EU wide privacy regulation, which was introduced between 2016 and 2018, and the details of which still apply in the UK – under the name of UK GDPR – post Brexit.

The regulations were introduced to update data privacy regulations which were based on a document created in 1980 and updated in 1995. Clearly this was no longer fit for purpose in the interconnected, digitally turbo-charged 21st century, and so a standardised set of regulations was created.

GDPR means that businesses must have privacy settings built into their digital products – such as websites and apps – and these privacy settings have to be switched on by default. In addition, each business has to:

  • Carry out regular privacy impact assessments
  • Strengthen the permissions they apply for using customer data
  • Improve their communication of data breaches
  • Document their use of personal data

It should be noted that the GDPR – UK or EU version – is a strict regulation and not simply a set of recommendations. The punishment for using data in a manner which does not comply can be as much as £17.5 million or 4% of annual global turnover, whichever is greater, and some of the world’s largest and most technologically advanced companies have already been hit with steep GDPR fines:

  • Google – fined €50 million which could have been avoided by giving users more information in consent policies and more control over how their data is processed
  • H&M – fined €35 million for gathering excess personal data on their employees
  • British Airways – fined €22 million for a data breach which enabled hackers to access the log in details, payment card information, and names and addresses of 400,000 customers

If you run a business, it is not enough simply to ensure that the way you deal with data in-house complies with GDPR – you must make ensure that any third-party organisations you work with also comply.

If you use a payment services provider, it is vital that you ensure that the way in which they hold the data gathered on customers meets all standards set by GDPR. If your payment services provider is in breach of GDPR then, to put it simply, so are you.

Trust the standards set by NOIRE

As with all other aspects of processing payments and trading across the globe, working with NOIRE keeps things as simple as possible. We are registered at the Information Commissioners Office (ICO) registration number ZA344502. The ICO is the independent UK body set up to uphold, among other things, the data privacy of individuals.

We also follow all guidelines set out in GDPR and treat every clients’ data as carefully as if it were our own. If the regulations – or the interpretation of those regulations – ever changes, we will know about it and will adjust the service we provide to ensure that the businesses we partner with are still fully compliant.  

To find out more, or to discuss any aspect of our payments service, get in touch with us today – we would be very happy to help you.