As specific technical standards are yet to be established, organisations should build their platforms to PCI DSS requirements
In the absence of any formed standards for the fast approaching General Data Protection Regulation (GDPR), businesses should look to the Payment Card Industry Data Security Standard (PCI DSS) to ensure compliance. This is according to Chris Scott, Data Protection Officer (DPO) at The Bunker, who believes that organisations should build their platforms to the requirements of PCI DSS.
The GDPR comes into effect on 25 May 2018 and brings an array of new guidelines for organisations in relation to Personally Identifiable Information (PII). Along with these requirements comes huge potential fines of up to 4 per cent of annual turnover or £15.8million (whichever is the greater sum), for failing to keep personal data appropriately secure. As it stands, the GDPR neither cites any existing or future Technical and Organisational Measures (TOMs) nor does it identify a specific body to manage the process of accreditation. This leaves many organisations left guessing as to whether or not what they enforce can be deemed as appropriate technical measures.
For Chris Scott, PCI DSS presents a solution to this obstacle. As this standard was developed to encourage and enhance the security of PII and cardholder data, it would be advisable for organisations to build their platforms to these requirements in preparation for the GDPR.
He explains: “The GDPR is a complicated piece of legislation and the stakes are high for companies that fail to get it right. Organisations need to ensure they have built an environment that complies with the GDPR. However, standards are yet to emerge, which means businesses cannot be certain that the systems they have in place will be considered suitable. This creates a potential stumbling block on the path to compliance. Considering that PCI DSS was designed to ensure businesses that store or transmit credit card information maintain a secure environment, it would be advisable for organisations to take direction from this and consider building their platforms to PCI DSS requirements in order to address the GDPR.
“PCI DSS has evolved continuously since it was developed 10 years ago and it now represents the gold standard in the protection of PII. If a standard for the GDPR were to be created, it should be based on this. By taking the 12 requirements and replacing the phrase ‘cardholder data’ with ‘personal data’, this brings the standard into alignment with what the GDPR wants us to achieve; enhanced protection of PII. Although some of the measures would need to be expanded upon to address specific GDPR requirements – such as disclosure, consent and liabilities – very little would need to be changed in terms of technical controls.
“Businesses have a short timeframe to get their affairs in order so they can meet the impending GDPR deadline and boardrooms need to be forming a strategy for 2017 that considers data protection. As the GDPR is currently an open book with regards to a standard, companies would be wise to select a Cloud Service Provider (CSP) that is fully PCI DSS compliant. They must conduct due diligence when doing so, as while some providers claim to be fully compliant, this often only applies to part of their operations. Ultimately, choosing a provider who can meet all 12 PCI DSS requirements will put organisations in good stead to address the those of the GDPR,” concludes Chris.