If you think PCI was challenging, wait till you get hit with GDPR!
General Data Protection Regulation (GDPR) was designed to harmonize date privacy laws across Europe and to protect and empower EU citizens data and privacy and to set the way organizations, (especially in the US) receive, store (or not store) use and distribute date and control privacy.
If you’re are storing or plan to store any data that could be tied back to an individual, it can now be considered “personal data” and will now be considered “private”. Once you believe you have a legitimate reason to process personal data you must decide whether or not your intended usage of that data is fair and lawful.
Understanding your obligations as the DPA and PECR outline with regards to direct marketing will help you establish this.
- Email Address
- Credit Card Number
- Mobile Phone Number
- Bank Account Details
- Driver’s License Number
- Passport Number
- IP Address
- Online Name (usernames)
- Generic or Biometric Info.
- Shopping History
- Shopping Preferences
- Life Preferences
Are all types of personal data that you should not be storing, without proper protection.
Why the Change to GDPR?
Much of the catalyst for the tightening of the EU’s laws is the concern over data breaches. In the US alone, there were over 3 Billion accounts in 2016 alone. To ensure compliance, penalties and fines can be as high as 20 million euros (US $23,521,000) or 4% of global turnover, whichever is greater.
The Cost of a Breach is Going Up
With the average cost of a data breach at over $7 Million1, you would think that more C-Level owners and operators would take data security more seriously. Sadly, many of them, must be dragged along or forced to take this subject seriously. Xennsoft itself, has had to threaten termination to more than one of its clients, just to get them to comply with new and existing rules.
- Ponemon Institute: 2016 Cost of Data Breach Study: United States; 2. Ponemon’s 2015 Global Cost of Cybercrime Study GDPR at Xennsoft
Article by: P A Stewart