Robert Crutchington and Matthew Tyler outline how applying the same principles as PCI DSS can help to meet the challenges of new data protection legislation

With the General Data Protection Regulation (GDPR) coming into force on 25th May 2018, many organisations are starting to consider what it will mean for them.

Overriding national data protection laws and including new and more detailed protection legislation for personal data, GDPR will necessitate a review of data policies and practices that companies already have in place to ensure that they comply with how data is kept throughout the organisation.

GDPR is more than just payment card data
Many are seeing the introduction of the new legislation as a positive step. It encompasses how data is managed, processed and deleted by concentrating on ensuring that it is lawfully and fairly protected by documented and verifiable security measures.

It includes all of a company’s data dealing with EU citizens, such as that held in marketing, sales and finance, not just CRM systems in contact centres. It also contains a raft of new rights for individuals ie. data subject rights, these include the right to data portability, the right to be forgotten and a strengthening of access to their data or data access requests.

In essence this regulation aims to achieve two things:
•A single set of rules applying to all EU member states, creating a single digital marketplace
•Moving the rights of data to the data subject or individual.

Organisations that fail to comply with the legislation face punitive fines of up to 4% of their annual global turnover or €20m, whichever is greater, not to mention reputational damage. So what does this mean for contact centres?

The good news - PCI DSS principles apply
Contact centres have always been focused on security of card payments, ensuring that customer card data is stored, transmitted or processed securely. Now the process needs to apply to all personal customer data – or Personally Identifiable Information (PII).

The good news is that if your contact centre is already Data Protection Act (DPA) compliant then you will be a long way to being GDPA compliant. In addition, the Payment Card Industry Data Security Standard (PCI DSS) is intended to protect cardholder data, which means that by complying with PCI DSS, you can be sure you meet legislation, security requirements and the burden of proof of compliance (which falls on the call centre), by demonstrating adherence to a recognised security standard.

Plus, if you are already working with a PC1 DSS Level 1 supplier, which is also DPA compliant, this further ensures you meet the regulations for your payment data.

De-scoping makes it easier to manage
To be PCI DSS compliant, organisations have to demonstrate that they have reached a level of security awareness and competence to a point where the risk of losing debit and credit card data is regarded as less than that of a non PCI DSS compliant organisation.

Therefore, PCI DSS principles are a good place to start when thinking about personal data. Companies can apply a process of ‘de-scoping’ to reduce the number of requirements (tick-boxes) for PCI compliance. This same method can be applied to personal information, where business processes can be ‘de-scoped’ from sensitive personal data, by the use of data anonymization, similar to the tokenisation solutions widely used to take repeat card payments without having access to sensitive card details.

Businesses attempt to reduce their PCI DSS scope by limiting the number of places where card data is present in a variety of ways including; removing redundant and obsolete storage facilities and applications, using technology solutions like tokenisation (unique identifiers that retain all the essential information about the data securely) and outsourcing elements of card handling, storage and processing to PCI DSS compliant third parties. As well as taking a risk based approach to justify proportionate controls and eliminate disproportionate costs.