GDPR
Modified on: Tue, 12 Oct, 2021 at 1:20 PM
TABLE OF CONTENTS
Introduction
The General Data Protection Regulation is a European Union privacy law that comes into effect on May 25, 2018. It increases restrictions on what organizations can do with your data, and it extends the rights of individuals to access and control data about them.
What does the GDPR stand for, philosophically?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given several data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
Customer-Service Requirements of the GDPR
Under the rules, visitors must be notified of data the site collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action. (This requirement largely explains the ubiquitous presence of disclosures that sites collect "cookies"—small files that hold personal information such as site settings and preferences.)
Sites must also notify visitors in a timely way if any of their personal data held by the site is breached. These EU requirements may be more stringent than those required in the jurisdiction in which the site is located.
Also mandated is an assessment of the site's data security, and whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function.
Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also include the ability to have their presence on the site erased, among other measures.4 (Naturally, the site must also add staff and other resources to be capable of carrying out such requests.)
Other Rules and Mandates of the General Data Protection Regulation (GDPR)
As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous, as the term implies) or pseudonymized (with the consumer's identity replaced with a pseudonym). The pseudonymization of data allows firms to do some more extensive data analysis, such as assessing average debt ratios of its customers in a particular region—a calculation that might otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.
The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the human resources records of employees.
Controversies Associated With the GDPR
The GDPR has attracted criticism in some quarters. The requirement to appoint DPOs, or simply to assess the need for them, some say, imposes an undue administrative burden on some companies. Some also complain that the guidelines are too vague on how best to deal with employee data.
In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees the same degree of protection as the EU requires. This has led to complaints about costly disruptions to business practices.
There's a further concern that the costs associated with GDPR will increase over time, in part because of the escalating need to educate customers and employees alike about data protection threats and remedies. There's also skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and interpretation of the regulations, and assure a level playing field as the GDPR goes into fuller effect.
GO Supply-GDPR
Reservation transmission
- Any guest information in the reservation placement process needs to be encrypted and stored and hidden throughout the entire process, which is not visible to the DerbySoft system.
- Go Supplier supports PSD2's latest secure payment standard at the API level, The following is the behavior made by DerbySoft for PSD2.
Three Domain Security
New fields added in the BookReservationRequest and ModifyReservationRequest to support the Three Domain Security (3DS) information.
Element | Type | Occurrence | Description | Comment |
|---|---|---|---|---|
cavv | String | Mandatory | Cardholder Authentication Verification Value Information retrieved from the 3DS provider when authentication is successful. | / |
eci | String | Mandatory | The electronic commerce indicator. | / |
xid | String | Mandatory | Transaction identifier for a 3DS Version 1 provider, assigned by the Directory Server to identify a single transaction. | / |
threeDomainSecurityVersion | String | Mandatory | Include this only for 3D Secure 2. | / |
transactionId | String | Mandatory | Transaction identifier for a 3DS Version 2 provider, assigned by the Directory Server to identify a single transaction. | / |
merchantName | String | Mandatory | Identifier of the merchant completing the 3DS transaction. | / |
extensions | Map<K,V> | Non-Mandatory | / |
|
APIs
API Type | Endpoint | Description |
|---|---|---|
AgencyUSB | /reservation/book | BookReservationRequest |
AgencyUSB | /reservation/modify | ModifyReservationRequest |
ExtranetUSB | /reservation/bookNotify | BookReservationNotifyRequest |
ExtranetUSB | /reservation/modifyNotify | ModifyReservationNotifyRequest |
Note: As many key travel suppliers and distributors are preparing solutions for PSD2, DerbySoft Go now releases the minimum required fields that partners must implement to comply with PSD2 and SCA. The interface will be enriched in the following Go versions to support more solutions from our partners.
Who will be Affected
- PSD2 applies to all European Union organizations involved in online payment services.
- This will still apply to the UK on departure from the EU.
- We recommend our partners do this as soon as possible to comply with PSD2 and SCA requirements and avoid transactions from being declined.
Related Key Concepts
- The Second Payment Services Directive (PSD2)
- The Second Payment Services Directive (PSD2) is a new European Union regulation which regulates payment services in Europe.
- Part of PSD2 includes new security requirements which will impact online businesses accepting card payments.
- Currently, PDS2 regulation will be enforced in the UK, regardless of the outcome of Brexit.
- Strong Customer Authentication (SCA)
- PSD2 introduces strict security requirements for the initiation of electronic payments in order to reduce the risk of fraud.
- These requirements include Strong Customer Authentication (SCA), which is an authentication process that validates the identity of the user of a payment service or a payment transaction.
- SCA enforcement will be enforced in Europe by 31 of December 2020, and in the UK by September 2021, so you will need to make sure your systems are up-to-date.
- 3-D Secure (3DS)
- To ensure that your transactions continue to process successfully when this regulation comes into force, you must ensure you support a PSD2 compliant version of 3D Secure.
- The card industry authentication protocol that allows card issuers to authenticate their cardholders during checkout.
Did you find it helpful? Yes No
Send feedback