Bacs and GDPR
The General Data Protection Regulation (GDPR) is an EU regulation that came into force on 25 May 2018 requiring all organisations to identify changes that need to be made to achieve GDPR compliance in their personal data processing activities. The regulation put individuals in control of their personal data, allowing them to choose how (and whether) businesses use their data. The regulation will still apply to organisations once the UK leaves the EU in 2019.
GDPR provides the regulator with wide enforcement powers and introduces significant fines for non-compliance. If you are a Bacs service user or a Bacs approved bureau, it is important to be aware that in relation to your file submission activities, Bacs is not your data processor. Bacs is a joint controller for the Scheme, along with our participant payment service providers. Bacs is not a joint controller for the submission activities of service users and bureaux.
Your obligations to be legally compliant, including in relation to data protection and therefore the GDPR regulations, are included in the terms and conditions agreed with your authorising payment service provider (e.g. your sponsoring PSP).
Should you require any further information relating to GDPR, or have any questions on the steps required to ensure you are fully compliant with the regulation, refer to the ICO’s website, which contains a range of useful resources.