GDPR Compliance, Is PCI DSS The Answer?

Posted by Chris Scott

As businesses start to plan ahead to 2017, there is no doubt data protection will dominate conversations around the board room. With the publication of the General Data Protection Regulation in January 2016 the battle lines are drawn and clear timelines have been set. Although GDPR is a good thing for the consumer, most businesses will see it as a headache and would rather put their responsibilities on the corporate back burner delaying the inevitable.

GDPR is a problem for most businesses, but with little understanding of what is required, coupled with the growing uncertainty of UK’s fate, particularly over recent announcements from Theresa May outlining the start of Britexit by April 2017, there just seems to be a growing number of reasons not to think about GDPR. However, GDPR is inevitable and the UK will be in scope regardless of Britexit as it will take over 2 years to complete the process, meaning we hit the deadline. Therefore, businesses need to start tackling the problem head on. When it comes to problem solving there is a simple rule of thumb that allows us rationalise any response. This rule of thumb is the 5Ws and 1H rule -. The what, why, when, who, where and how.

What is GDPR? – It is the General Data Protection Regulation which supersedes the Data Protection Direction 1995. It enhances EU citizens’ rights and extends accountabilities on the Data Ccontroller and Data Pprocessor in order to protect PII information. It is relevant to any business dealing with EU citizen’s data whether you’re in the EU or not.

Why do we have GDPR and why do I need to comply? – Cybercrime is a constant threat which increases risks to the consumers PII information, GDPR is EU law to protect consumer data. Any business storing, transmitting or processing PII information of an EU citizen will be bound by the regulation. Failure to comply to GDPR not only damages your business’es reputation due to the rules associated with disclosure but the sanctions are anything above €10 Million Euros.

When do I need to comply? – you have until 25/05/2018 before GDPR is fully enforced.

Who in my business needs to be involved and who can help? – Firstly, you need to understand where you are holding PII information, the data flows through your business and whether you use third parties. Secondly, you need to consider the appointment of a Data Protection Officer who can help with GDPR and work with the necessary teams to meet compliance. GDPR will impact the majority of your departments, therefore you need to consider representatives from those departments to ensure compliance.

Where do I start and where should I focus my efforts? You need to understand your role e.g. are you the Data Pprocessor or are you the Data Controller. You then need to understand the changes to the Data Protection Directive e.g. the enhanced rights, how you gain consent, the supply chain etc. Once you have a clear picture of what is required from you as a Business, you then need to assess impacts. This is achieved by Data protection impact assessments (DPIA) and Technical Organisation measures. This will give you a set of clear milestones to meet by the deadline.

How can I comply and how can other standards help me? You need to face GDPR head on, planning is key. If you have appointed the right people, you understand what is required from your business, your role in protecting data and have carried out the DPIA, you’re certainly half way there. However, you also need to consider your systems and how you can build an environment in order to comply with GDPR. This is where I generally favour and advise my customers to consider building their platforms to PCI DSS requirements. This is because The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance security of Personally Identifiable Information and cardholder data. In its 10 year inception there has been a lot of lessons learnt. If I take the 12 requirements and replace the word cardholder data with personal data, this then brings the standard into alignment with what GDPR wants us to achieve. If I was to invent a standard for GDPR I would incorporate a lot of requirements and expand upon some of processes to include disclosure, consent, liabilities etc. but very little would need to change in terms of the technical controls. GDPR is an open book as far as creating a standard, could PCI DSS be the answer and solution businesses are looking for? Your credit card number is personally identifiable to you. If GDPR put businesses in scope that handle EU citizens PII information, it makes sense to consider a standard that is focused in these areas.

To summarise GDPR is here to stay, businesses have a short timeframe to get their affairs in order to meet the deadline. Boardrooms need to be fully engaged and need to be forming a strategy for 2017 which considers data protection. A good understanding of the impacts and changes required to meet compliance needs to be reached and in absence of a standard, businesses would benefit from adopting PCI DSS as the standard of choice.
With so much to do and the migration window slowly diminishing, smart businesses will be focused on GDPR and data protection in 2017.