Privacy and security are central to what we do at Vindicia. From the very beginning of our platform, we architected our platform to segment merchants’ data from one another. Although we were a true multi-tenant solution before it was fashionable, it just made sense – no one wants their data to leak, and we respect that.
Fast forward a bit, and now the industry is talking about a different kind of privacy – individual privacy. GDPR, the General Data Protection Regulation, is about to become the law of the land in the European Community. This new directive allows individuals the right to manage their own data, including having it deleted when they want. Vindicia has always been committed to supporting all relevant regulations, and GDPR is no exception. So, how does this work for Vindicia clients?
It’s pretty simple, really. Vindicia merchants may receive a request from their end customers, requesting that their data be erased. The merchant needs only communicate that request to Vindicia Support, and we’ll handle everything from there. We will overwrite or erase all PII for the consumer in question and deactivate the consumer’s account, subject to any applicable data retention requirements and policies (e.g., PCI DSS retention regulations). Once complete, we’ll communicate back to merchant that we’re done. It’s really that simple.
Merchants rarely leave Vindicia (we’re extremely proud of our industry-leading retention rates). However, in the rare case where someone does move away from our platform, we’ll also expunge their data after the applicable data retention period.
There are some technical implications on our side. For example, if a consumer subscribes to both the NBA and the NFL, we’ll have the credit card and similar personal information twice – once for each merchant. We’ll delete it for the account the consumer has requested, but it may still exist for other accounts. However, because of the way we’ve architected from the very beginning, we have complete clarity about which consumer account is associated with which merchant.
We also utilize broad statistical data to improve the performance of the platform, but PII is actually the antithesis of useful in that case. When we’re tuning how CashBox and Select work, we’re looking at large data sets. Aggregation and anonymization are core to how those processes work because we really want to see the forest, not the trees. We’ve engineered our end-to-end processes to ensure we can still maximize value for our merchants while protecting any individual consumer who wants to say goodbye. For our merchants, it means they’re already compliant with the new regulations, and they didn’t have to do a thing to achieve this. Also, since we see privacy laws converging globally and we have the privilege of working with merchants from a wide range of industry segments with varying levels of regulations and security requirements, we design our platform and policies with the goal of helping all of our merchants meet their own regulatory obligations efficiently and with minimal burden on their business models.
It’s all just part of how we do what we do.
To learn more, visit our GDPR web page and read our FAQ document.