2018 will see a number of major changes to the commercial landscape that will affect many businesses. Particularly at risk will be those who charge customers for paying by credit or debit card, or who process any personal data of EU citizens at any time (of customers, clients or their staff).

Set out below is a summary of the impending changes. Legal advice should be taken in relation to the specific implications for you or your organisation.

Data Protection

No area in the commercial sphere will see greater change in 2018 than that brought in by the General Data Protection Regulation (GDPR). From 25 May, the GDPR will strengthen a data subject’s protection, forcing companies to get explicit consent to use any personal data (in plain English) before selling their products or the data to third parties. The GDPR is designed to remind businesses that personal data is owned by the individual data subject; not the business. Further, the data is not purchased from the data subject; it is merely on loan from them for specific pre-agreed purposes.

From this date, you must not process the personal data of any EU citizen unless you can prove that each customer, client or staff member on your database has given their express consent to the exact purposes you intend to put their data. This will apply to all customers; not just new customers from May.

Pre-existing industry practices will not necessarily satisfy the new GDPR consent standards. These include: a) getting a customer to tick a box online; b) requiring the customer to unselect a pre-ticked box if they do not want to be contacted; c) automatically signing customers up to email marketing schemes when they buy a product; or d) ‘cold’ calling.

In addition, individuals will be given more rights under the GDPR to protect their personal data. These include rights to limit how and when their data is processed, free rights to unsubscribe from any marketing at all times, enhanced rights to access their data, the right to request their data is transferred to a third party, and to delete all or any part of their data.

From May, businesses must either comply, or risk significant financial consequences (which can, in the most serious cases, be up to 4% of annual worldwide turnover). Compliance is not as simple as placing a privacy policy in a window or on a website; the right processes and practices need to be in place now and all staff who handle personal data need to be aware of the organisation’s obligations relating to data protection. At the very least, start by accurately reviewing and mapping what data you hold, why you hold it and how you got it. We can provide a checklist to help with this.

If you process personal data but have not already registered with the Information Commissioner’s Office, you must do so as a matter of urgency. Failure to do so is a criminal offence. The relevant form can be found here.

Charging customers for paying by debit or credit card

If you currently charge non-business customers for paying online, by credit or debit card or for making direct debits or BACS transfers, you will no longer be able to do so from 13 January when the 2017 Payment Services Regulations apply. Organisations particularly at risk include airlines, theatres and cinemas, and even the local off licence or hardware store. It will equally apply to local councils, HMRC and the DVLA. Any non-business customer who incurs this charge from this date can make a complaint online to local trading standards, and get such fees refunded.

The changes mean that where both the customer and trader are located within the EEA (the EU plus Iceland, Norway and Liechtenstein), these surcharges cannot be applied. Where only one is within the EEA, the surcharge can apply but any fee must not exceed the cost incurred by the trader for accepting that payment method.

Changing practices for new customers will be relatively straightforward, subject to any back-end review of existing procedures and commercial models. Applying the new rules to existing customers who pay by direct debit (for example), will create additional administration.

Any surcharges applied to payments by corporate credit cards, or ‘service’ fees for ATM cash withdrawals, are not affected. These changes will also not prevent a seller imposing a minimum spend for paying by card. However, charging for any payment less than this minimum amount will no longer be legal (so the seller must either refuse the sale or ask the customer to pay via cash).

Portability of Digital Content

If you pay for online live or on-demand content services in your home country (such as AmazonPrime®, Netflix® or SkyGo®), from Q1 (precise date TBC), you will be able to watch that same content when you travel within the EU, at no additional cost. The user must also be able to view the content in the same way as if they were in their home country (i.e. same content, number of devices, visual quality and functionalities). The new accessibility requirements will apply to any length of travel (holidays, business trips, weekend breaks).

Users should note that there is no obligation on the broadcaster or platform to guarantee the quality of their content when viewed abroad. This will remain subject to local internet speeds and bandwidths, and any regional variations in quality of internet access.

If you are a broadcaster or subscription service provider that licences access to content on a territorial basis (particularly sports broadcasters), this will have significant implications for your business and licencing models.

Free-to-air terrestrial services may also benefit from the new rules, provided they change their sign-up procedures to verify the residence of their viewers using an ID or residency card, bank account or credit card details or proof of address (amongst others) on registration.