The European Union has released a new compliance standard titled the General Data Protection Regulation (GDPR) which will go into effect on May 25, 2018. It imposes new rules and regulations regarding data privacy that impact all subscription businesses using Recurly which operate in the EU, along with US-based merchants with personal data belonging to EU residents.

Background

GDPR was designed to harmonize data privacy laws across Europe, to better protect EU citizens’ data privacy and to empower them with more control over how their data is used. The regulation seeks to improve the way organizations across the region approach data privacy.

For more detail, visit the following sites:

Who does the regulation impact?

There are two common levels of GDPR compliance: Controller and Processor. The distinction between the two entities impacts the compliance requirements each must meet.  

The Controller is the principal party that collects users’ consent to use their data, manages consent-revoking, enables right-to-access, etc. Using this definition, Recurly merchants—the subscription businesses using our platform—are Controllers.

The Processor is the person or entity which processes personal data on behalf of the Controller. Under this definition, Recurly is the Processor.

An example scenario:

  • Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity.

  • Acme Co. is the data controller, and Email Automation Co. is the data processor in this scenario.

Another compliance-level classification is the Sub-Processor. All Processors, like Recurly, are required to maintain a publicly available list of all third-party services, vendors, etc., that the Processor uses in support of services and which contain EU resident information. For a complete list of all Recurly Sub-Processors, and to opt-in to receive updates, see this page.

As you can see, GDPR is intended to identify, map, and align, under a common standard, all entities where EU resident data is utilized. Its goal is to provide for improved control over how the data is used and maintained. Thus, GDPR’s impact is not limited to the merchant.

How is Recurly responding?

As a Processor, Recurly initiated a new compliance program earlier this year and plans to be fully compliant with the mandates of the GDPR regulation by the May 25, 2018 deadline.

In addition to the required internal updates to policies and procedures as well as internal training, Recurly is proactively reaching out to to all EU merchants to ensure the required Data Processing Agreement (DPA) is in place and executed.

You can download Recurly's DPA. 

What this means for our customers?

Executing the DPA with Recurly is a critical step. Merchants should also consult their legal or compliance advisers to understand the necessary changes that need to implemented to meet GDPR compliance. Recurly cannot advise them on this.

What’s next?

On the surface, GDPR may seem like a daunting task with far-reaching requirements never seen before and significant penalties for non-compliance. Recurly sees this another way. We see a framework that elevates privacy to a new standard where trust can be established and enhanced. Recurly is committed to maintaining this trust and working together with our merchants to ensure their data is safe and privacy guaranteed.