The most comprehensive data privacy standard to date

What Is GDPR?

The European Union’s General Data Protection Regulation (GDPR) comes into play on 25th May 2018, designed to protect the personal data of consumers and make organisations more accountable on how they handle such information.

Built upon the existing Data Protection Act (DPA) 1998, GDPR is the most comprehensive data privacy standard to date. Its implementation is a response to the rise of data breaches, sensitive card information leaks, ransomware attacks and other malicious cyber attacks impacting businesses and consumers across the world.

GDPR includes strict guidelines for organisations, including:

  • Recording how and when an individual gave consent for their details to be used. Consent must be an action and affirmative action, not simply a pre-ticked box on a web form.
  • Being transparent to how data is used, how long it is stored for and who gets to see it. Consumers may also demand direct access to review the information stored about them.
  • Responding to the consumers have the right to demand that their data is deleted, commonly referred to as the ‘right to be forgotten’.
  • Reporting a data breach within 72 hours of being aware of it to the Information Commissioner’s Office.

Organisations that do not comply with GDPR will face heavy fines (up to £20m or 4% of turnover, whichever is greater).

Additionally, research by security experts Thales also suggests that 79% of consumers would not do business with an organisation that didn’t comply with GDPR and 58% of respondents claiming they would at least consider legal action.

Going into 2018, you should consider how the upcoming legislation will impact your business as failure to comply could have significant consequences.

What Is “Personal Data”?

The European Commission has expanded the definition of personal data under GDPR. It considers it to be “any information relating to an individual, whether it relates to his or her private, professional or public life.” Under this definition, personal data can count as any of the following:

  • Name
  • Home address
  • Photo
  • Email address
  • Bank details
  • Posts on social networking websites
  • Medical information
  • A computer’s IP address

The bottom line is, if you collect, store or process any personal information about your customers, GDPR applies to you.

What About Brexit?

Brexit will have little impact on GDPR’s implementation within the UK.

The Government have already confirmed a similar set of guidelines will be enforced so UK organisations can continue to trade within the EU in an attempt for a smooth transition post-Brexit.

Therefore UK businesses should have GDPR as a high priority in 2018, to understand how it impacts how they process and store personal and sensitive customer details.


What Is the Difference Between GDPR and PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS or PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The good news is, if you’re PCI-DSS compliant (or working with suppliers and partners who are compliant) you’re on the right path to becoming GDPR compliant too. If you’re looking to protect your organisation and customer’s sensitive information in the more immediate future and prepare your systems for GDPR, please talk to us and we can help you become PCI-DSS Compliant by descoping your organisation and keep you abreast of the regulation once further details are released. You will not only be helping reduce the risks within your organisation almost immediately but be better prepared in May 2018.


GDPR focuses more on personally identifiable information such as indicated above. Whilst there are similarities between the two, the more well-established PCI-DSS documentation provides a robust set of guidelines for an organisation, the details of GDPR have yet to be finalised at this time.

GDPR Compliance

Regulation of the collection, storage and processing of personally identifiable information, introduced by the European Union in May 2018.


PCI-DSS Compliance

Accredited secure environment for sensitive credit card information, introduced by the Payment Card Industry Security Standards Council (PCI-SSC).

What Are Key IVR Doing About GDPR?

“As a leading payment services provider, Key IVR will be monitoring GDPR developments very carefully and communicating to our customers early 2018 once we know more.

We are working with information supplied by the Information Commissioner’s Office (ICO) to prepare our organisation and our solutions for the adoption of the General Data Protection Regulation (GDPR) which will apply from 25th May 2018.

GDPR compliance will be a shared responsibility between our customers and Key IVR’s role as a 3rd Party processor. As it currently stands, we are awaiting further details that will help us understand the specific impact GDPR will have.

This will not be an overnight fix as there are many complexities to GDPR, but be assured as a leading payments provider we will continue to ensure our platform is secure and compliant to the highest degree.”

Darren Wooding
Managing Director


Key IVR are not a legal council and organisations should seek professional legal advice where appropriate to understand the full implications of GDPR.

Key IVR are a privately owned business offering automated payment services in the UK and internationally through Europe and into the United States. We are a customer-service focused organisation and take care to manage and meet our clients' expectations.


Key IVR Ltd, Unit 8 Durham Lane, West Moor Park, Armthorpe, Doncaster, United Kingdom DN3 3FE

Key IVR (Ireland) Ltd, 8 Clanwilliam Square, Grand Canal Quay, Dublin 2, D02 PF75, Ireland

Key IVR, 8th Floor, 100 Church St, New York, NY 10007, USA