4 minutes read

Changes in Data Compliance Laws: What You Need to Know

Changes in Data Compliance Laws: What You Need to Know

In 2018, one thing is for certain: changes are happening—fast. Technology changes, as usual, are the focus this year as we watch new innovations unfold, new products emerge, and businesses take hold of new opportunities. However, tech isn’t the only thing changing rapidly. This year, two brand new compliance regulations will take effect—and likely impact your business.

Businesses must be aware of new laws and policy changes, no matter where they operate or what kind of business it is. A recent article published by Business News Daily says it best, “Staying apprised of policy changes could be the difference between gaining a competitive edge or falling behind due to compliance issues or strategic missteps.”

GDPR and the PCI DSS 3.2 regulations will take center stage. Let’s discuss them in more detail so you know how to remain compliant.

What is GDPR?

After years of talking about it, the GDPR or General Data Protection Regulation goes into effect on May 25th. Although it is a European Union compliance regulation, all companies that do business with a EU state will need to be compliant.

According to CIO, only 25% of U.S. companies report they are aware of GDPR’s effects on their business and only half of European companies report the same. Unfortunately, companies that do not comply will face consequences such as fines up to 2% of global annual revenue from the prior year and up to 4% for data breaches. This new regulation could make it or break it for businesses

GDPR can be broken down into five key parts:

  • Individual Data Rights. The GDPR aims to strengthen the rights of individuals as data subjects. The “Right to be Forgotten” and the “Right to be Informed” are two enhanced rights within the GDPR that protect the individual.
  • New Policy. The “Right to be Informed” as mentioned above is also a focus, making sure businesses are informing their customers regarding who is collecting their personal data and what it is being used for. Privacy policies will need to be updated with this information as accountability is underlined within the GDPR.

The “Right to Erasure” or to be forgotten means that individuals have the right to have their data erased depending on certain terms. It will be a requirement for businesses to delete the information within a month’s time.

  • Businesses will be required to create a Data Protection Officer to help them comply with the GDPR. All tasks for this position are set forth in the GDPR guidelines.
  • Even those that process data will have new responsibilities. They will have to implement technical measures to secure personal data during processing.
  • Companies will be required to take part in the data protection impact assessment where processing data could result in high risk to individuals.

The GDPR, although groundbreaking for the safety of consumers, will take some time to implement correctly. However, with the deadline fast approaching, companies should be on their way towards compliance.

What is the PCI DSS 3.2?

These regulations were changed in 2016 but were only enforceable as of February of this year. The Payment Card Industry Data Security Standard is a standard for merchants or service provides that store and process credit card info.

Perhaps the most important change will occur in this coming July when these providers will have to discontinue support for the Secure Sockets Layer and Transport Layer Security protocols. Why? These protocols are no longer consider secure and can be subject to data breaches.

In February, several other requirements became effective such as multi-factor authentication, detection, and reporting of critical security controls failure and a six-month penetration test for segmentation controls.

Businesses and organizations that accept credit cards will need to be PCI compliant as well as merchants and data processors. Businesses will need to have processes in place to protect their cardholder’s data, restrict access to the data and secure their network. Without compliance, businesses face more fines and consequences depending on the level of compliance failure.

Both the GDPR and the PCI DSS 3.2 are critical this year for businesses all over the United States. To stay compliant, make sure you reach out to a professional or do your research regarding the requirements. As we go further into the year, only time will tell the true effects of both new data laws. If you have questions about your compliance or data security, reach out to New Era today.