Unprepared organisations face a significant challenge in meeting the requirements of the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018.
According to Claranet’s Beyond Digital Transformation report, more than two-thirds of British businesses are not securing customer data effectively. 45% said they are having problems securing customers’ details when trying to improve the digital user experience.
Although most businesses are worried about the GDPR, those compliant with the Payment Card Industry Data Security Standard (PCI DSS) may already have a head start.
The PCI DSS and the GDPR both improve the protection of customer data. However, the PCI DSS focuses on payment card data whereas the GDPR focuses on European residents’ personal data.
The key difference between the two is that the GDPR sets out what businesses need to do but doesn’t say precisely how, whereas the PCI DSS highlights what needs to be achieved and how to achieve it.
The sixth data protection principle of the GDPR (confidentiality and integrity) requires data controllers and processors to assess risk, implement appropriate security for the data concerned and check that it is up to date and that protection controls are working.
The PCI DSS creates a set of controls for keeping cardholder data secure that is supported by a regulatory framework. This can be carried out across a whole business (without extending the cardholder data) and these controls and processes could provide the necessary building blocks to meet the sixth principle’s requirements.
Requirement 3 of the PCI DSS provides guidelines for protecting cardholder data and the specific requirements for encryption. For example, it requires that the primary account number (PAN) must be rendered unreadable wherever it is stored. This includes digital media, backup media and logs.
The GDPR also wants organisations to render certain elements of personal data unreadable; this can be done using pseudonymisation, encryption or both.
Extending your PCI DSS encryption to cover all personal data will be another step towards meeting the GDPR’s requirements.
Cardholder information is defined as personal data by the GDPR. This means a breach of this information would make the organisation not only liable for the PCI DSS but also the GDPR. This reinforces the importance of encrypting and securely storing cardholder information.
With the GDPR, all personal data breached must be reported to the supervisory authority within 72 hours. Failing to do this can result in a fine of up to €10 million or 2% of annual turnover, whichever is greater.
Inadequate or non-implementation of the PCI DSS will be seen by the Information Commissioner’s Office (ICO) as a failure to implement appropriate “technical and organisation measures” to protect personal data. Therefore, a cardholder breach will attract GDPR penalties in addition to bank fines.
An organisation that is PCI DSS-compliant reviews its cardholder data annually. These scheduled reviews give a working framework that can be transferred or expanded to comply with the GDPR.
Tom Wood is an member of the IT Governance Publishing team www.itgovernancepublishing.co.uk