Changes are happening—fast. Technology changes, as usual, are the focus this year as we watch new innovations unfold, new products emerge, and businesses take hold of new opportunities. However, tech isn’t the only thing changing rapidly. Two compliance regulations could impact your business.
Businesses must be aware of new laws and policy changes, no matter where they operate or what kind of business it is. You must stay apprised of policy changes, because it could be the difference between gaining a competitive edge or falling behind due to compliance issues or strategic missteps.
GDPR and the PCI DSS 3.2 regulations will take center stage. Let’s discuss them in more detail so you know how to remain compliant.
What is GDPR?
After years of talking about it, the GDPR or General Data Protection Regulation went into effect on May 25, 2018. Although it is a European Union compliance regulation, all companies that do business with a EU state will need to be compliant.
Unfortunately, companies that do not comply will face consequences such as fines up to 2% of global annual revenue from the prior year and up to 4% for data breaches. This regulation could make it or break it for businesses.
GDPR can be broken down into six key parts:
- Individual Data Rights. The GDPR aims to strengthen the rights of individuals as data subjects. The “Right to be Forgotten” and the “Right to be Informed” are two enhanced rights within the GDPR that protect the individual.
- New Policy. The “Right to be Informed” as mentioned above is also a focus, making sure businesses are informing their customers regarding who is collecting their personal data and what it is being used for. Privacy policies will need to be updated with this information as accountability is underlined within the GDPR.
- The “Right to Erasure” or to be forgotten means that individuals have the right to have their data erased depending on certain terms. It will be a requirement for businesses to delete the information within a month’s time.
- Businesses will be required to create a Data Protection Officer to help them comply with the GDPR. All tasks for this position are set forth in the GDPR guidelines.
- Even those that process data will have new responsibilities. They will have to implement technical measures to secure personal data during processing.
- Companies will be required to take part in the data protection impact assessment where processing data could result in high risk to individuals.
The GDPR, although groundbreaking for the safety of consumers, takes considerable time to implement correctly.
What is the PCI DSS 3.2?
These regulations were changed in 2016 are enforceable as of February 2018. The Payment Card Industry Data Security Standard is a standard for merchants or service provides that store and process credit card info.
Perhaps the most important change occurred in July when these providers will have to discontinue support for the Secure Sockets Layer and Transport Layer Security protocols. Why? These protocols are no longer consider secure and can be subject to data breaches.
In February, several other requirements became effective such as multi-factor authentication, detection, and reporting of critical security controls failure and a six-month penetration test for segmentation controls.
Businesses and organizations that accept credit cards will need to be PCI compliant as well as merchants and data processors. Businesses will need to have processes in place to protect their cardholder’s data, restrict access to the data and secure their network. Without compliance, businesses face more fines and consequences depending on the level of compliance failure.
Both the GDPR and the PCI DSS 3.2 are critical for businesses all over the United States. To stay compliant, make sure you reach out to a professional or do your research regarding the requirements. Only time will tell the true effects of both new data laws. If you have questions about your compliance or data security, reach out to New Era today.