New GDPR Regulations are coming into place by May 2018. These will impact and bring new changes to PCI compliance, this means higher penalties if a breach is found in your business.
All businesses should be aware of the updates listed below;
1) If your business isn’t part of the EU you still need to comply with the regulation if you handle and store data belonging to EU residents.
2) The definition of personal data has now become a lot broader, so companies should limit the amount of personal ID that they keep and length of time they keep it for.
3) You need to provide clear consent to processing someone’s personal data.
4) A data protection officer will be a mandatory requirement for certain types of companies.
5) You must complete a data protection impact assessment before processing high risk payments and a privacy impact assessments, so you can analyse and minimise potential high privacy breaches.
6) You will have a time frame of 72 hours to report a data breach to the data protection authority.
7) Data subjects have the right to be forgotten and removed from your systems.
8) There are new restrictions in place when it comes to international data transfers, so businesses should be aware of the risks of transferring data to countries outside of the EU.
9) Your payment processing company will have direct legal responsibilities and can be liable for data breaches that occur. This means that contract agreements with them will need to updated stating the responsibilities and liabilities between the two companies. You need to document their data responsibilities and the increased risk levels.