What you need to know about GDPR
General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and requires businesses and organisations to protect the personal data and privacy of EU citizens for transactions that take place within member states.
In the UK, the new legislation has replaced the Data Protection Act 1998, which was introduced following the 1995 EU Data Protection Directive.
What does GDPR mean for me?
GDPR ensures that data protection rules are consistent across the EU – with tougher penalties for non-compliance and breaches – and gives people a greater say over what can be done with their information. GDPR means that you will have just one standard within the EU, but does require considerable investment and effort to meet the requirements and administer.
Can PCI compliance help?
Both PCI DSS and GDPR regulations have been developed to ensure businesses and organisations protect personal data – one focusing on card data and the other on personal data of EU residents. As a result, if you are PCI compliant; or already working on it; you should have a head start and can use your experience to help implement the data security controls needed for GDPR.
How do PCI DSS and GDPR compare?
The biggest, and most important, difference between the two sets of regulations is that PCI DSS is significantly more prescriptive. While GDPR delivers guidance on what needs protecting without detailing a rigid action plan, PCI DSS outlines exactly what is required and a clear methodology for achieving this.
Building on your PCI compliance
If you are already PCI DSS compliant, then introducing complementary GDPR compliance will be simpler than would be otherwise. For example, you should already be carrying out annual reviews of cardholder data, which provides an initial framework for applying appropriate GDPR measures. In fact, having already adopted and invested in controls for keeping cardholder data secure, you may realise you already possess many of the necessary technologies and procedures needed to protect personal data.