GDPR Compliance

Rob Crutchington from Encoded explains how applying the same principles as PCI DSS can help to meet the challenges of the new data protection legislation.

With the General Data Protection Regulation (GDPR) coming into force on 25th May 2018, many organisations are starting to consider what it will mean for them. Overriding national data protection laws and including new and more detailed protection legislation for personal data, GDPR will necessitate a review of data policies and practices that companies already have in place to ensure that they comply with how data is kept throughout the organisation.

Many are seeing the introduction of the new legislation as a positive step. It encompasses how data is managed, processed and deleted by concentrating on ensuring that it is lawfully and fairly protected by documented and verifiable security measures. It includes all of a company’s data dealing with EU citizens, such as that held in marketing, sales and finance, not just CRM systems in contact centres.

Organisations that fail to comply with the legislation face punitive fines of up to 4% of their annual global turnover or €20m, whichever is greater, not to mention reputational damage. So what does this mean for contact centres?

Contact centres have always been focused on security of card payments, ensuring that customer card data is stored, transmitted or processed securely. Now the process needs to apply to all personal customer data – or Personally Identifiable Information (PII).

The good news is that if your contact centre is already Data Protection Act (DPA) compliant then typically you will be GDPA compliant. In addition, the Payment Card Industry Data Security Standard (PCI DSS) is intended to protect cardholder data, which means that by complying with PCI DSS, you can be sure you meet legislation and security requirements.

Plus, if you are already working with a PC1 DSS Level 1 supplier, which is also DPA compliant, this further ensures you meet the regulations for your payment data.

To be PCI DSS compliant, organisations have to demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non PCI DSS compliant organisation.

Therefore, PCI DSS principles are a good place to start when thinking about personal data. Companies can apply a process of ‘de-scoping’ to reduce the number of requirements (tick-boxes) for PCI compliance. This same method can be applied to personal information, where business processes can be ‘de-scoped’ from sensitive personal data.

Businesses attempt to reduce their PCI DSS scope by limiting the number of places where card data is present in a variety of ways including; removing redundant and obsolete storage facilities and applications, using technology solutions like tokenisation (unique identifiers that retain all the essential information about the data securely) and outsourcing elements of card handling, storage and processing to PCI DSS compliant third parties.

If you do choose to work with partners it is a requirement of PCI DSS, to draw up a responsibility matrix, outlining compliance and competencies. This can help to set out what needs to be done and who is responsible to ensure data is secure. It’s also important to draw up a data breach plan, to identify what needs to happen in the event of a data breach – what actions need to be taken, regulatory disclosure, communications to stakeholders and customers, as well as forensic investigation.

Compliance with any legislation, whether PCI DSS or data protection, is not simply about implementing a piece of technology, it involves people and business processes as well as systems.

One of the biggest risks in any organisation relating to data is staff – not necessarily from fraudsters, but laxity of people in taking proper care of data. The relatively low cost of training and education of the risks involved can go a long way in making staff vigilant to perils such as phishing emails and fraudulent representation. Phishing emails can mean that innocently staff allow hackers to enter the system, and is a bigger risk than a rogue staff member writing the odd card number down.

Taking areas of an organisation’s business out of the scope of PCI DSS compliance minimises the cost and complexity associated with many of the standards. Working with a Trusted Provider (one that is PCI-DSS Level 1) for your payment data ensures that you are compliant in the contact centre for payments data and is a good place to start on data protection. The Information Commissioner’s Office (ICO) has also published guidance¹ for companies preparing for GDPR to help plan an approach and identify what needs to be done.

Like PCI DSS compliance, the responsibility for GDPR cannot be entirely removed
from the contact centre, however, the effort required can be dramatically reduced by following a similar approach to that of de-scoping.

Remember that the buck stops with the merchant to ensure PCI DSS compliance and the same will be true for GDPR. Responsibility cannot simply be handed over to a third party – an organisation must also identify itself how data is to be managed. However, taking a lead from PCI DSS and working with the right people can go a long way to sleep filled nights and compliant days.

1. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf