As you probably know, there’s a lot of pressure on organizations to ensure that they are compliant with the new EU GDPR regulations by 2018. At Syntec we’re increasingly asked how PCI DSS and GDPR are related. In this blog I’ll discuss the overlap between the two and how PCI compliance can help you then build GDPR compliance into your systems and processes.
What is the GDPR?
GDPR (the General Data Protection Regulation) is designed to strengthen and unify data protection, as it applies to anyone living within the European Union. The regulation was adopted in April 2016 and comes into law in all EU countries in May 2018.
One of the key changes of the GDPR is that there will no longer be individual data protection bodies in each EU country. As soon as the GDPR becomes law, it becomes law across all EU member states without any need for individual states to enact it through local legislation.
Brexit does not change this for the UK. The GDPR comes into force in 2018 and the UK will be bound by all EU laws at least until it formally leaves the EU, so until 2019 at the earliest. Additionally, if your business deals with customers within the EU or you have parts of your business located within the EU then you’ll be subject to the GDPR, even after the UK leaves.
Failure to comply with the GDPR’s requirements for the protection of customers’ personal information may have extremely serious consequences for organizations, including fines of up to £20m or 4% of turnover (whichever is greater) in the case of a data breach or failure to report one within 72 hours. This could be far reaching both financially and in terms of brand and reputational damage, so it’s critical that organizations don’t ignore this and take time to work through a thorough compliance process.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a set of regulations governing information security that applies to all organizations taking credit or debit card payments. PCI DSS is a worldwide standard that is designed to reduce card fraud and ensure that businesses take card payments securely. You can read more about this here.
How are the GDPR and PCI DSS related?
Both PCI DSS and GDPR are designed to improve customer data protection. PCI DSS focuses on payment card data whilst the GDPR focuses on personally identifiable information. However, despite the clear overlap there are significant differences in terms of how the two are phrased.
The good news for organizations already PCI DSS compliant is that the GDPR is less prescriptive than the PCI DSS standard. The GDPR lays out what organizations need to do but does not spell out precisely how. In contrast, PCI DSS not only specifies what needs to be achieved but also how it should be achieved, with regular updates and laying out a clear methodology for achieving card data security that the GDPR lacks.
British organizations also have an advantage here. The UK is ahead of most countries in Europe in terms of the levels of enforcement of PCI DSS by the payment brands (Visa, Mastercard, American Express etc.). Any organization taking card payments is required to comply with PCI DSS and whilst larger organizations may not yet have achieved PCI DSS compliance across all their activities yet and smaller ones may not yet have engaged much if at all, PCI DSS compliance is nevertheless already more prevalent in the UK than elsewhere in Europe. This gives the UK a head start when it comes to managing the process of becoming GDPR compliant.
“People come to me and say, ‘How do I achieve GDPR compliance?…Start with PCI DSS.”
What if I am already PCI DSS compliant?
In essence, PCI DSS and GDPR complement each other, and organizations already PCI DSS compliant will find that it’s relatively straightforward to enact GDPR compliance alongside what they already have in place. Complying with PCI DSS can also be used to help show that you comply with GDPR.
If your organization is PCI DSS compliant then you will already be conducting annual reviews of the card data that you process as a requirement of your compliance. The aim of this is to ensure that any new technology you’ve introduced or new processes you’ve implemented are included within your PCI DSS compliance. This schedule of reviews gives you a framework that can also be used when implementing GDPR, giving you an advantage over those organizations that are starting from scratch.
Likewise, if you’re PCI DSS compliant then your organization may well have already invested in secure technologies, encryption, auditing, firewalls, logging and so on. Once you’ve identified the additional personal data your organization needs to protect under the terms of the GDPR then you could already have the technology, processes and procedures in place to protect it. The technology you’re already using for PCI compliance can be extended into this new arena in many instances.
What if I am not already PCI DSS compliant?
If you are starting from scratch, then consider building your GDPR platform in such a way as to comply with PCI DSS requirements at the same time. PCI DSS has been around for a decade now, so has a set of very well established protocols and methodologies. It specifies 12 areas of security regarding cardholder data. If this approach were to be adopted for all personal data, not simply cardholder data, then compliance with GDPR standards would be reached.
Indeed, GDPR makes total compliance with PCI DSS essential for any organization that’s processing customer card payments of any kind. So if your organization is fully compliant with PCI DSS and you adopt a similar approach when considering how to manage other personal data that’s beyond the scope of PCI DSS, then the chances are that you will also be GDPR compliant.
Data protection to these new levels may seem like a significant administrative burden. However, it’s vital that you get ahead of the game and take steps now to ensure that your organization is collecting, storing and sharing personal data in a controlled and secure way that complies with these new regulations. Only by doing this can you ensure ongoing compliance and avoid the substantial fines and potential reputational damage that can result from a breach.
Given the increasing regularity of news stories about hacks, data theft and ransom demands involving all kinds of organizations, anyone who regards these new regulations as anything other than helpful in protecting their customers’ personal data, as well as possibly their own and their employees’ livelihoods, is burying their head in the sand.