Huw Thomas, Managing Director at PMC, talks about data security and the implications of the GDPR legislation.

For the past few years retailers have been busy focussing on ensuring strong security of customer card data driven by the PCI standards, now the landscape is shifting to also include general customer data such as name, email and address.

In the UK, the most important piece of legislation organisations must worry about today is the Data Protection Act and the possibility of monetary penalty notices by the information commissioner (ICO) requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

On 25th May 2018 a new piece of legislation will come in to force, the EU General Data Protection Regulation (GDPR). According to recent research (by Trend Micro) 20% of IT decision makers in the UK are still unaware of its existence.

This new legislation will be applicable to all organisations that handle personal data on EU residents, including overseas organisations with European customers.

Organisations that fail to comply with the new regulation can face fines up to €20 million or 4% of their annual turnover, and serious reputational damage. Many companies are unaware of the fines they might face and need to start acting to protect their customer data. Breaches of data security will need to be notified to the regulator and, in certain circumstances, to the individual(s) concerned where an adverse effect on their privacy is anticipated as a result of the breach.

Many retailers have spent many years collecting as much customer data as they can get their hands on and are in the process of attempting to de-risk their personal data processing activities by limiting employee access to data on a much tighter "need to use" basis. Also some retailers are assessing ways to anonymise or encrypting customer data. As an added incentive, the obligation to notify data subjects (customer individuals) of a data security breach is unlikely to apply where the data has been rendered "unintelligible" to persons who are not authorised to use it.

If you would like to discuss customer data security in more detail then please contact us on

Read part one here.

Tweet, tweet!