EU GDPR & PCI Compliance  The Essential Guide

The most comprehensive data privacy standard to date

Or continue reading below….


What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) came into play on 25th May 2018, designed to protect the personal data of consumers and make organisations more accountable for how they handle such information.

Built upon the existing Data Protection Act (DPA) 1998, GDPR is the most comprehensive data privacy standard to date. Its implementation is a response to the rise of data breaches, sensitive card information leaks, ransomware attacks, and other malicious cyber attacks impacting businesses and consumers across the world.

GDPR includes strict guidelines for organisations, including:

Organisations that do not comply with GDPR will face heavy fines, up to €20m (approximately £17.8 million) or 4% of turnover, whichever is greater.

Additionally, research by security experts Thales also suggests that 79% of consumers would not do business with an organisation that didn’t comply with GDPR and 58% of respondents claiming they would at least consider legal action.

What is "Personal Data"?

The European Commission has expanded the definition of personal data under GDPR. It considers it to be “any information relating to an individual, whether it relates to his or her private, professional or public life.” Under this definition, personal data can count as any of the following:

The bottom line is, if you collect, store or process any personal information about your customers, GDPR applies to you.

What about Brexit and the UK?

Brexit will have little impact on GDPR’s implementation within the UK.

The Government have already confirmed a similar set of guidelines will be enforced so UK organisations can continue to trade within the EU in an attempt for a smooth transition post-Brexit.

Therefore businesses with European customers should have GDPR as a main consideration when looking at their data handling, to understand how it impacts how they process and store personal and sensitive customer details.

What is the Difference Between GDPR and PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS or PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The good news is, if you’re PCI-DSS compliant (or working with suppliers and partners who are compliant) you’re on the right path to becoming GDPR compliant too. If you’re looking to protect your organisation and customer’s sensitive information for GDPR, please talk to us and we can help you become PCI-DSS Compliant by descoping your organisation and keep you abreast of the regulation.

GDPR Compliance

Regulation of the collection, storage and processing of personally identifiable information, introduced by the European Union in May 2018.

PCI-DSS Compliance

Accredited secure environment for sensitive credit card information, introduced by the Payment Card Industry Security Standards Council (PCI-SSC).


Key IVR are not a legal council and organisations should seek professional legal advice where appropriate to understand the full implications of GDPR.

Want to find out more?

Submit your details and a payment specialist will be in touch.

We can offer support and guidance on how to improve your customers payment journey.

Mark Kelly

Chief Commercial Officer (CCO) (UK) & VP International Sales (US)