From that date, any organisation which processes or stores personal data, including payment card data, will need to adhere to the new General Data Protection Regulation (GDPR) legislation. The new law defines personal data as “any information relating to an identified or identifiable natural person”, with credit card data now reclassified within this definition. Fines of more than £120bn are possible under GDPR if data breaches remain at the same level as identified in a 2015 report from PWC.
GDPR applies to all businesses which handle personal data. These businesses are split into two categories: ‘controllers’ and ‘processors’. The ‘controller’ says how and why personal data is processed and the ‘processor’ acts on the controller’s behalf. Any firm that is currently subject to the Data Protection Act (DPA), it is likely to also be subject to the GDPR.
With maximum fines for data controllers of up to four per cent of a company’s global annual turnover or £18m, whichever is greater, businesses of all sizes are at serious risk with SMEs potentially hit hardest proportionally.
Although the severity of the fines may vary, regulators are likely to apply the maximum fine for serious non-compliance. New mandatory reporting of data security breaches under GDPR will also increase the number of incidents reported.
GCI’s PCI Director, Brad Semp, said: “The incoming GDPR legislation is a ticking time bomb and despite slipping under the radar of many firms that process card payments, ignorance will not be viewed as an excuse under the new law. Although the new rules don’t come into force until 2018, the implementation process to put a solution in place can take 12 months or longer, so it’s vital that firms take action to address this now.
“Despite the average cost of a data breach currently standing at £2.8m, far too many companies still look at protecting the payment card data they process as a compliance issue rather than a risk management one, and once compliance is achieved, many simply focus their attention on other things. But the rules and regulations, including both GDPR and PCI DSS, are constantly evolving, with new controls being introduced on a regular basis, so it’s something that all firms need to pay close attention to, to ensure they comply fully at all times.”
A breach can cost a business millions of pounds in fines, but for some the negative impact it can have on a company’s reputation can be far more damaging. As an example, recent research has shown that 24% of consumers will switch banks if their personal financial data has been breached and more than a third of consumers will shop elsewhere if their retailer has been breached – this means repercussions that can long outlast initial fines.
Brad Semp continued: “Although the issue is a real threat, a viable solution is very much at hand. Our advice to businesses which process card payments is simple – get ahead of the game, make yourself aware of the forthcoming changes and speak to an expert who can help you to ensure you remain compliant.”
“GCI can provide businesses taking telephone card payments with an enhanced fast-track service which reduces PCI compliance controls by 98%, from 354 to only five, helping firms to achieve compliance quickly, cost effectively, robustly and without huge disruption. Our application suite not only adheres to PCI DSS but GDPR also. It’s important to remember that data that doesn’t exist cannot be breached; and our process removes credit card data from the business entirely.”