GDPR (The General Data Protection Regulation)…


Intends to strengthen and unify data protection around personal data (on the basis of respecting peoples’ fundamental rights and freedoms), and it applies to anyone living within the European Union. The regulation comes into Law in all EU countries in May 2018 and as soon as the GDPR becomes law, it will be law across all EU member states.

Failure to comply with the requirements for GDPR regarding the protection of customers’ personal data can result in serious consequences for organisations, including fines of up to £20milion or 4% of turnover (whichever is greater) in the case of a data breach or the failure to report one within 72 hours.

Both PCI DSS and GDPR intend to improve customer data protection. PCI DSS focuses on payment card data while the GDPR focuses on personally identifiable information. However, even though there is notable overlap there are significant differences in terms of how the two are phrased.

GDPR Resources

The good news for organisations that are already PCI DSS compliant is that the GDPR is less prescriptive than the PCI DSS. The GDPR lays out what organisations need to do but does not spell out precisely how. In contrast, PCI DSS specifies but what needs to be achieved and how it should be achieved, laying out a clear methodology and providing regular updates for achieving card data security.