Here are some answered questions about GDPR compliance. 

By: Ian Eyles
Director of European Business
The General Data Protection Regulation (GDPR) will come into effect next year, replacing the Data Protective Directive. This new regulation is meant to help unite privacy laws across Europe and will impose new requirements on organisations handling personal data.

Organisations that collect and use personal information from citizens in the EU will need to comply with the GDPR, regardless of where they are located.
Here are a few answered questions about the GDPR.

When does the GDPR come into effect? 

The GDPR was approved and adopted in April 2016. Organisations in the EU will have to comply with EU GDPR by May, 2018. 


What are the penalties for non-compliance? 

Organisations can be fined up to 4% of annual global turnover or €20 million. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.

Who does the GDPR affect?

The GDPR applies to organisations located within the EU and also to organisations located outside of the EU if they handle the personal data of those within the EU. Basically, if you process personal data of anyone who resides in the EU, you must comply with the GDPR.

What changes are the GDPR bringing?

There are several changes the GDPR has introduced to help organisations and individuals better protect private data. Here are 12 key changes you should know about:
  • Breach notification: Data controllers must report personal data breaches no later than 72 hours after they are aware of the breach
  • Consent: consent must be obtained from individuals for processing personal data. 
  • Data Protection Officers (DPO): appointing DPOs will be mandatory for companies that process high volumes of personal data
  • Data subject access requests (DSAR): The time limit to comply with DSAR has been reduced from 40 days to one month. 
  • Privacy by design: products, systems, and processes must consider privacy-by-design concepts during development
  • Privacy Impact Assessments (PIA): PIAs must be carried out in certain situations.
  • Privacy notices: privacy notices must be more transparent, using clear and plain language, and easily accessible. 
  • Profiling: an individual has the right to not be subject to profiling, and profiling for marketing purposes will always require explicit consent. 
  • Record keeping: each Data Controller must keep a record of processing activities. 
  • Right to portability: users may request a copy of personal data in a portable format
  • Right to erasure: data subjects have the right to request for their data to be deleted. 
  • Right to object: individuals should be advised that they have the right to opt out of direct marketing. 

How does the GDPR relate to PCI DSS? 

The biggest difference between the two regulations is PCI DSS focuses on protecting card data, while the GDPR focuses on protecting personal data.

While the PCI DSS may not directly relate to the GDPR, it can help with GDPR obligation to implement technical measures to protect against data breaches.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Keep in mind that the purpose of the GDPR is to help organisations protect individual’s sensitive data. It’s more about ensuring that organisations improve their own data security.

Need help with data security? Talk with one of our consultants!

Ian Eyles is the Director of European Business for SecurityMetrics, managing key acquirer relationships predominantly in the level 4 arena. He has worked in the PCI sector for thirteen years.