Next year sees the introduction of the EU’s new data legislation, General Data Protection Regulation or GDPR. It applies to any organisation storing or processing personal data both using automated systems or manual filing and replaces the Data Protection Act that has been in place since 1998.
But what does the introduction of this new legislation mean for UK businesses? And how will GDPR work alongside PCI DSS?
What is GDPR and what does it mean for my business?
The GDPR legislation applies to ‘personal data’ and ‘sensitive data’ which includes everything from basic contact details through to detailed genetic information. Companies in the EU that store or process this data will have to do so transparently and with a specific purpose and also with consent from the data owner. Not adhering to the rules could land you with a hefty fine of up to €20 million or 4% of your global annual turnover, whichever is greater. Ouch.
What about Brexit?
The UK government has confirmed that the UK will still be adopting the new GDPR legislation despite the result of the 2016 EU referendum to leave the EU. GDPR will be in place as planned from May 2018.
So, what is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements relating to the security and storage environment of any company processing, storing or transmitting debit or credit card information. The standard and the management of it, by the Payment Card Industry Security Standards Council (PCI SSC), were created by the major payment card providers – Visa, MasterCard, American Express, Discover and JCB. No matter how large or small your business, PCI DSS compliance must be applied by any organisation paying money into their merchant account directly using credit or debit card information from a customer or third party.
So how will GDPR and PCI DSS work together?
Jeremy King, International Director at the Payment Card Industry Security Standards Council (PCI SSC), said:
“People come to me and say, ‘How do I achieve GDPR compliance?….Start with PCI DSS.”
Both GDPR and PCI DSS aim to ensure that businesses secure the processing and storage of customer data. PCI DSS focusses specifically on the processing of customer card payments whereas GDPR is about protecting customer information in a broader sense. However, while GDPR provides extensive guidelines about the kind of information that needs to be secured, PCI DSS gives more detailed controls and methodology for securing data. So by taking the steps to becoming PCI DSS compliant, you take a huge leap towards reaching the data protection standards of GDPR.
At PCI Telecom, we create and manage credit card processing systems for over the phone and online payments that are bespoke for your business. Outsourcing your card payment processing to us means you take advantage of our PCI DSS Level 1 accreditation without the hassle of developing your own extensive internal processes.