Promoted as the most important change in data privacy regulation in decades, the EU General Data Protection Regulation (GDPR) will be enforced on May 25, 2018. Organizations that are not GDPR compliant after this enforcement date could face significant fines.
Replacing an obsolete data protection directive from 1995, GDPR is designed to allow individuals to better control how their personal information is collected and processed. Organizations collecting or receiving data on citizens in any of the 28 member states of the European Union (EU) or UK are required to have systems and processes in place to comply with GDPR.
U.S. organizations doing business in the EU or UK should review their security practices with GDPR in mind. Specifically, any U.S.-based business in hospitality, travel, software services and e-commerce organizations, that service these types of industries, or have employees in one of the member states or UK should review their systems and processes within the context of GDPR.
Challenges arise as organizations seeking compliance must wrestle with how to define portions of the GDPR. For example, what constitutes personally identifiable information is open to interpretation. An organization may have to offer the same level of protection for an individual’s IP address as that offered for the individual’s name, address, and Social Security number. What’s more, organizations must also define “reasonable” when the GDPR calls for a “reasonable” level of protection for personal data.
Organizations already compliant with the worldwide PCI DSS data security standard should not find GDPR compliance difficult. Both the PCI DSS and GDPR were designed to improve data protection, so there will be overlaps in the road to compliance. For example, conducting annual reviews of card data for PCI could be used as a framework for implementing GDPR. Similarly, the technologies, encryption, auditing, etc. required by PCI to protect cardholder data could also fulfill some requirements of GDPR.