GDPR doesn't include standards yet. How to apply your learnings from PCI DSS.

Posted by Marco Borza on Mar 27, 2020 11:22:53 AM
Marco Borza
Find me on:

The General Data Protection Act is set to change the way we store and protect personal data forever. After extensive awareness campaigns, most senior IT professionals are aware of the general GDPR principles - and the potentially vast fines that could be applied in the event of a breach.

Although these awareness campaigns have been useful, they also typically overlook one key factor - there are currently no official standards for GDPR compliance. Standards may eventually be published, but much more likely will be a common framework created from industry best practice. Whether official or not, it will still be some time until these standards emerge.

In the meantime, any business achieving PCI DSS compliance can use that standard to guide their GDPR preparations. Here are some things to consider:

Encryption of data

PCI DSS is very specific about encryption. Personally identifiable payment card data must be encrypted at all times - in transit, and at rest. The relevant encryption keys must also be fully secured against loss or theft.

Applying similar principles to other personal data makes perfect sense. Encryption renders personally identifiable data (PID) useless to hackers, helping to fulfil at least some of your duty to protect your customers.

Data access rules

Payment data protection rules are not just about keeping third parties out of your network. PCI DSS also expects you to place limitations on  internal access too. PID should be restricted so only those employees with a genuine business need can access it.

Ultimately, the same principle should apply to all personal data you store. As well as identifying PID and where it is saved on the network, your GDPR audit should consider who needs access to that data - and how to restrict access accordingly.

Data deletion rules

PCI DSS demands that key payment data (PIN, PIN block and track data) is deleted as soon as transaction approval is received. Again, the same principle applies to GDPR - once personal data has been used for the stated purpose, or no longer fulfils any purpose, it should be deleted.

Where PCI DSS PID is usually deleted within a matter of seconds, other personal data (protected by GDPR) may have a lifespan of days, weeks or months. Your PID audit will be crucial for managing expiring data - and you must keep your records related to PID locations/lifespans up-to-date at all times.

Get help

The good news is that best practice guidelines are emerging quickly - for those businesses who have already achieved PCI DSS compliance. Whether your business is PCI DSS compliant or not, you can still benefit from applying the same basic principles.

To learn more about preparing for GDPR (or PCI DSS) using what will become industry best practice, please get in touch or start by downloading our GDPR Mapping Questionnaire.

Take the first step in your compliance journey:  Download our GDPR Mapping Questionnaire