Is there a process in place to periodically review and assess partners ’ practices as they apply to guest information security policies ?
Know your data and where it is
From a purely IT perspective , the first step should be to undertake a ‘ data discovery ’ exercise , keeping track of the vast reams of personal data that are received , processed and stored . It ’ s essential to know what data is held , where it is , where it moves and who has access to it . This exercise avoids situations in which , for example , payment card information falls into the wrong hands or is stored on a device long after it ’ s needed . If you don ’ t know where PII and payment card data is , use a data discovery tool to locate it in your organisation . Once you know what type of data you have , you can decide how you want to handle it , given the Principles and Code of Practice you have defined for your organisation . You need to determine if it should be deleted , redacted , encrypted , placed in quarantine , or stored on a third-party system where it can be regularly accessed by staff within a safe environment . It ’ s also important to establish policies for managing access rights and to ensure these are regularly audited .
For organisations that are PCI DSS compliant , the good news is that you already have the foundations in place and have taken appropriate steps , such as :
Maintaining an information security policy and establishing who is accountable for protecting data .
Placing and maintaining secure systems to prevent data breaches , including a firewall and continually updated anti-virus software , access controls and other systems designed to prevent data breaches .
Encrypting cardholder and other sensitive data . Encryption plays a major role in data protection ; it ’ s used when confidential information is sent across public networks .
Ensuring that your IT systems are set up adequately , and investing in up-to-date security technologies .
Call in the experts
The rules around GDPR are complex , and achieving compliance is no small undertaking , even for larger organisations . It may therefore make sense to offload compliance to third-party providers , who can let you accept and store documents safely in an accredited environment . This option frees the burden of compliance from internal IT staff , avoids the need to employ a dedicated , full-time security officer , and saves substantial sums required for maintaining compliance , year in and year out . Whatever you decide to do , one thing is certain : you need to plan . And , while we all tend to put off the inevitable , this time , you can ’ t afford it . It ’ s essential to prepare the groundwork now so that , come May 2018 , you can be sure you ’ re securing your customer ’ s personal data . You need to be ready for GDPR .