ShowHide categories

EU regulation: How to comply with GDPR and protect customer data

Future banking
By Gareth Jones - Global Director of Information Security

Companies need to examine their processes so that they don’t get caught out by the upcoming regulations, no matter where they are based.

When the update to EU General Data Protection Regulation (GDPR) comes into force in May 2018, it will have an impact on all business sectors. Among the changes, the regulation gives consumers more control over their data, imposing fines of up to 4 per cent of company turnover on those who suffer a breach.

If your organisation has already taken security and data privacy seriously – by complying with standards such as PCI DSS, building your information security management system in accordance with recognised standards such as ISO 27001, and being regularly audited by independent auditors in line with an assurance standard such as the ISAE 3402 –  you can be confident of complying with GDPR.

Indeed, there are multiple similarities between these standards and GDPR. GDPR outlines the need to safeguard personal information and outlines the need for strong protocols and policies, including securing the network through firewalls and maintaining and updating anti-virus software. These are best practice security controls required by many of the industry recognised security standards.

GDPR compliance creates a need for firms to identify and examine the information they hold and process. This best practice procedure should be straight-forward for companies that take their security seriously.

As part of general and GDPR compliance, experts advise businesses to carry out a ‘spring clean’ of their data, clearing out information that is no longer needed. To ensure that payment data is protected, they should also examine who has access to information – and why – making sure systems use multi-factor authentication.

Harnessing expertise
Compliance can seem daunting, especially for smaller firms lacking internal expertise. If this is the case, it is a good idea to consult a company specialising in the area.

There is also a lot to think about for larger companies looking to protect their payment data while complying with GDPR. For example, firms that outsource their data management should be aware that they are liable for any third-party data breaches. It is therefore important to examine suppliers, and ensure they also comply with the regulation.

Adding to complexity is the need to ensure staff comply with GDPR and PCI DSS across multiple departments, while remaining efficient in their everyday jobs. This is especially true for the parts of the business dealing with large amounts of payment data.

Most experts say the answer lies in training: if everyone knows what is expected of them, they can work productively and effectively. It makes sense to align your data protection strategy across the business, so information is utilised while it is safeguarded.

Another important consideration is the need for UK companies to comply with the EU GDPR after exiting the EU. While some assume the regulation will not apply to them following Brexit, any company dealing with the payment data of EU citizens must comply.

And any initial pain will be worth it: once your security strategy is in place, there are multiple benefits to safeguarding data under GDPR and PCI DSS. As well as improving your company’s approach, compliance encourages customers’ trust, helping you to stand out in an increasingly competitive market.