2015 ended on a bombshell of legislative changes creating an air of unwelcome uncertainty for businesses. Yet, they need not be a cause for concern. The announcement of the new EU cyber security regulations on the 8th of December 2015 should present no problem to those who have already embraced PCI DSS. And on the 15th of December, we were in fact introduced to a clearer, broader and more relevant Data Protection Act. And while its arrival has raised a number of complex questions and anxiety towards how to address them, the dynamic nature of our industry and the unrelenting pace at which we implement change suggests that we are better equipped to prepare for what lies ahead.
In fact, these moves by EU regulators are a welcome justification of the work that we do. And for businesses, taking a holistic approach to the multiple compliance requirements will result in a much reduced workload for staff, a less-onerous financial commitment and will provide a better planned response to any unwelcome (but probably inevitable) incident.
What is more, time is on our side. The changes to the Data Protection Act are set to take place by 2018, giving us ample opportunity to regroup and continue to lead the way in cyber security practices.
The common issues surrounding PCI-DSS, General Data Protection Regulation (GDPR) and General Cyber Security Regulations are probably old news to you. However the new components of the data protection law have highlighted the importance of having strategies in place to address them. We must implement the best, and plan for the worst.
Whether embarking on a new PCI compliance program, or reviewing the controls in an already compliant environment, the same principle should apply: identify the scope and document it. Our initial advice is always the same:
- Know what data you store;
- Identify all areas where that data is stored (backups, local storage and even historic paper files);
- Identify how this data is protected;
- Document this in a formal risk assessment – leaving no stone unturned;
- Most importantly – identify whether that data needs to be retained it at all.
As compliance with the PCI DSS for any entity that stores, processes or transmits card payment information has been mandatory for some years now, there are many organisations that have embedded this into business as usual practice. PCI DSS is only a baseline to follow after all. These companies are now looking at taking this to the next level and using this ‘best practice’ across all data repositories. These are the people that will be one step ahead of the game when the new EU rules come into play.