How to overcome the challenges of GDPR: CoinGate’s story

On May 25th, 2018, The General Data Protection Regulation, or simply called the GDPR, came into force. For us at CoinGate, its importance is undeniable as it replaced the outdated Data Protection Directive which was unsuited for the digital age we now live in.

As the official page of the recent legislation states, “The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.” To put it simply, the GDPR aims to protect the personal data and freedoms of European Union citizens, as well as empower them to control how their data is being gathered and handled.

Though the influence of new legislation is much more vast. It also has a meaningful impact on how businesses deal with personal data. Now, every piece of what is considered personal information must be processed in a transparent way, as well as collected and used only for a specific purpose.

Furthermore, it is necessary to maintain that data in an accurate, secure manner either until its purpose expires, or individual uses his right to request the erasure of his personal information. This applies to all companies worldwide that deal with the data of EU citizens, whether it is a bank, marketing agency, or payment gateway, such as CoinGate.

However, companies that fall under the category of financial institutions get to carry much bigger responsibility considering how much sensitive information they have on their hands. Comparing to other types of businesses, such data might be much more vital. Thus, CoinGate is obliged to be exceptionally diligent while protecting the privacy and capital of those who use the payment processing services.

Challenges of GDPR implementation

While the new regulation is tailored to simplify the regulatory environment of data privacy for businesses, many companies abundantly struggle to meet the minimum requirements it demands. As of now, the start-up environment seems to face the biggest challenges while implementing the necessary procedures.

Considering the development pace of start-up companies, it is not surprising at all. Requirements to meet the new legal framework might be a bit overwhelming for companies that just started to develop their product. Nonetheless, for such non-compliant companies that fail to avoid data breaches, fines can reach up to 20 million euros or 4% of the total worldwide annual turnover, as well as lost reputation and even clients’ mistrust.

For absolute beginners that are building companies from the ground up, avoiding data leaks might seem like a bet to take, but it is not the case for huge, sustainable companies. For them, the penalties and loss of trust could mean a death sentence. So, in a way, the new legislation works as a filter that identifies not only those who take their businesses seriously but also those who strive to do it in a socially responsible manner.

Nonetheless, the GDPR compliance is not a matter of choice. It is utmost important not only for companies to strive in future ventures but also for customers that understand the value and sensitivity of their personal data. Moreover, the business clients, in particular, tend to rely on companies which are fully compliant and disclose the information on how their data is being used and stored. Hence, a preparation to be fully compliant must be executed without any flaws, and at any costs.

How the new changes impacted CoinGate?

As CoinGate has a vast scope of different customers, which include merchants, shoppers, traders, referrals, various contributors and so on, the risk of failure simply cannot be allowed. That is why even before the GDPR described in detail how personal data must be handled, we at CoinGate took additional efforts to ensure that the sensitive data of the customers remain as secure as possible.

Recall the period of huge database leaks in 2014–2017, media was stuffed with news about breaches of the enormous amount of private data. The numerous, infamous leaks of Yahoo, Adobe, Ashley Madison,Dropbox, FriendFinder Networks & etc. resulted in billions of sensitive information to be spread across the internet. The cases password-reuse attacks skyrocketed and even new industries for blackmailing victims occured. the unfortunate chain of events and poor data privacy standards have fundamentally changed the way companies are built today. That is why CoinGate itself was built with understanding the importance of security. The mistakes of the past served as a teaching moment how not to have any leaks or risks in the first place.

The importance of the safety could not be stressed more, thus CoinGate encrypted all the data and stored the encryption keys in a cold storage way before it became an official requirement. On top of that, just before the enforcement of recent regulations, training of the employees on the management of sensitive data was executed in order to successfully continue with the operation without any struggles.

Overall, the GDPR did not force CoinGate to build a compliance base from the beginning. Instead, it prompted to review what additions are necessary to adapt to a current legal grounds. That is why an initiative to thoroughly prepare for it took place by partnering with the compliance experts Dataprotection.lt.

Partnership with the best experts in the region

Dataprotection.lt is a specialized consultancy company providing GDPR and data protection compliance, as well as international GDPR compliance services. The company consists of a team of. young, innovative and competent data protection compliance experts, some of which with 10 years of practical and academic experience in the field. Partnership with Dataprotection.lt legal team helped us to overcome all difficulties of the recent legislation.

The GDPR prompted many changes, and the contribution of Dataprotection.lt to our operations were tremendous as they helped us to fully adapt our business to the current legal environment, as well as make our procedures even more secure. In order to comply with the new legal framework and become even more transparent, certain procedures had to be implemented together with Dataprotection.lt, which includes:

  • The GDPR compliance audit;
  • appointment of Data protection officer;
  • applying new procedures, such as data security breach management, implementation of data subject rights, and data protection impact assessment;
  • renewed documents required under GDPR: Privacy policy, Data protection policy, Security policy, Data Processing agreement, and data processing records;
  • audits committed in data protection with current suppliers and partners;
  • tailored our IT product to the new standards;
  • further training of employees.

Thanks to the partnership with these amazing guys, all the necessary changes were finalized before the new regulations came into place. Moreover, Dataprotection.lt provides Data Protection Officer as a service. As CoinGate continues with further ventures, new challenges arise that must be addressed right away.

What challenges lie ahead?

As some wise guy once said, “nothing is constant, except change”. For me as an entrepreneur in the blockchain industry, facing the constant challenges to adapt to the new rule-sets is relatively usual. Hence, after finalizing the recent legislation we immediately shifted our attention to another point of focus.

The 5th AML directive, brought by the European Commision, is going into force in the summer of 2019. The new directive is extremely relevant to Fintech as it foresees the changes in how cryptocurrency payments will be handled. While under the new directive, cryptocurrencies, as well as their wallets, will be treated on the same level as any other financial institution. As CoinGate provides cryptocurrency payment processing services, we also fall under the same radar.

Until now, AML policies have not exactly been clear about cryptocurrency related activities, thus they were easier to exploit while financing criminal activities or laundering money. In order to reduce the possibility to use the blockchain for illicit acts, the crypto industry will have to implement new AML and CTF procedures.

CoinGate plans to do it in a similar fashion how GDPR was handled, that is by joining forces with yet another expert in their field. I think it is always smart to rely on those who can provide the best expertise as well as execute all the necessary operations with high competence, and flawlessly. So, that is what we are going to do.

Conclusion

Compliance guys at CoinGate are already preparing for the upcoming changes and will be fully ready before the new directive will come into force. Though some might perceive all these alterations as “jumping through hoops”, it is not something people should fight shy. After all, it is a fast-paced world where constant change is inevitable, thus should be expected at all times.

I always keep in mind that changes often lead to progress, and progress itself is programmed in human nature. History is clear proof of it, thus it is wise to keep the same mentality as we go forward.