The General Data Protection Regulation (GDPR) comes into force 25th May 2018, effecting the biggest change in data protection law in over 20 years. The new EU GDPR regulation is far more reaching than the current Data Protection Act (DPA). It greatly extends individuals rights over their personal data held in other’s files; imposing many rules encompassing all aspects of data management, systems, storage and processing methods.
Some areas of the GDPR compliance requires increased security of data, how it is collated, how long it is kept and its relevance; imposing increased responsibility on the holder of the information, to be able to report data breaches and having systems capable of data protection by design.
Did you know:
what is involved and how it affects your business?
what to do and the steep fines* for non- GDPR compliance?
the law will affect all companies undertaking B2C & B2B trading into the EU
the need to comply will not be affected by Brexit
*The maximum fine for a minor breach of GDPR compliance is €10m or 2% global turnover and for a major breach €20m or 4% of global turnover, whichever is greater.
Personally Identifiable Information (PII)
PII is information that can be used on its own, or with other information to identify, contact, or locate a single person, or to identify an individual in context. Where a company holds PII, which allows an individual to be easily identified, from some or all of the data held; the company must make that data available to the individual.
If individuals started to communicate with the company, to exercise these new rights under the GDPR regulation; could even the most organized and well-resourced company cope with an estimated 10% increased workload, relating to requests for: copies of data, alterations, or for it to be removed?
PII requests under GDPR compliance:
Right to information
Right to access
Right to rectification
Right to be forgotten
Right to restriction of processing
Right to notification
Right to portability
Right to object
Right to appropriate decision making
The Payment Card Industry Data Security Standard (PCI DSS)
PCI applies to companies of any size that accept credit card payments, and maintaining payment security is required for all entities that store, process or transmit cardholder data.
Accepting payments is key to a business and every card transaction involves sensitive cardholder information, that must be stored and transmitted securely. Your business must comply with the PCI DSS, to ensure both you and your customers are protected from the threat of card fraud.
Sensitive cardholder data includes: anything in the magnetic stripe or chip and numerical detail on the card. For example, the Primary Account Number (PAN), which can enable a fraudster to impersonate the cardholder.
Key to PCI DSS compliance is securing access to cardholder’s information; like: compromised card readers, files in cabinets, weak databases or tapped wireless networks.
If cardholder data is compromised, and your processes, procedures and systems are not PCI DSS compliant; you will face penalties, ranging from: losing the facility to accept card payments, fines, loss of confidence from your customer base, and the subsequent costs of compliance. Which may lead to serious financial loss, threatening business stability.
PCI, PII and GDPR compliance, involves having strong policies and procedures. Which need due consideration, planning and defined strategy to adhere to the evolving legislation.
Wherever data resides, it is the company’s responsibility to ensure that it does not contravene GDPR compliance and if so, it must be identified and eliminated.
CCL’s specialist forensic tools and techniques find and filter structured and unstructured data, whatever the size and wherever it sits, to aid compliance of the GDPR obligations.
CCL has developed a range of services to help your company create or review your cyber information management and information governance review. Our specialist and experienced team are on hand to help.