Sessions discussing the upcoming European Union General Data Protection Regulation (GDPR) at the recently held Payment Card Industry (PCI) Security Standards Council EMEA Community Meeting in Barcelona, Spain were packed.
While the GDPR and the PCI Data Security Standard (PCI DSS) are two very different and separate compliance standards, there are key intersections that warrant deep examination.
The PCI DSS is a mature compliance standard addressing the protection and security of cardholder data. If you are subject to the PCI DSS, the information in your cardholder data environment is subject to regulation by GDPR. If you are compliant with the PCI DSS, you are meeting the baseline security control standards of the GDPR. Your challenge will be to ensure that you are implementing equivalent controls for other areas of your organization and network that interact with data, beyond just cardholder information.
Key Challenges in Extending PCI DSS-like Security Controls
If you are PCI DSS compliant, you should have a head start on implementing the kinds of data security best practices and controls that the GDPR requires. A key challenge, however, is that in most organizations it will be different teams who are responsible for these tasks. And, GDPR requirements actually extend to the organization as a whole.
GDPR Processes and Procedures
GDPR goes well beyond security controls in defining how personal data must be collected, processed and stored. There are six principles for GDPR, and security controls are focused in only one of these:
1) Personal data must be processed lawfully, fairly and transparently.
2) Personal data is collected for specific, explicit and legitimate purposes.
3) Personal data collected is relevant and limited to what is necessary for processing.
4) Personal data must be accurate and kept up to date.
5) Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
6) Personal data must be processed in a manner that ensures its security.
To make sure you are developing a strategic approach to your GDPR compliance, partner with an organization that can help you holistically address the scope of the GDPR through tailored services.
Alex Norell is director of compliance and risk services for EMEA and APAC at Trustwave.