Three Frameworks for Data Privacy and Information Security

data privacy and information security

Beyond building a compliant shopping experience, global compliance involves protecting sensitive data like payment and personal information. There are many frameworks that governments and industry groups have created to assist businesses with this complex task. The main ones we discuss in this article are PCI DSS, ISO and GDPR.


The ability to accept payments online is the backbone of your subscription business. The first rule of online business is to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). What does this mean?

PCI DSS provides a comprehensive road-map to help organizations ensure the safe handling of cardholder information. This road-map comprises technical and operational requirements set by the PCI Security Standards Council (PCI SSC) that rule over the entire payment process and data storage organization.

PCI DSS is organized by six overarching goals/domains:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make. PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels. This not only allows them to be compliant but also makes them more trustworthy and competitive.

PCI DSS compliance helps protect your business, but your data security vulnerabilities are not limited to the credit card payment information stored on your servers. To fully protect your business, you must widen your scope and make sure that you comply with the body of standards for information technology which falls under the rubric of the ISO27k family.


The body of standards for information technology security falls under the rubric of the ISO27k family. In the ISO27k scope, each company defines its own assets and assigns each asset a value which results in a hierarchy of importance for all of your company’s assets. Assets include not only credit card information, but all your other payment data.

Additionally, according to the ISO, your assets include data related to “intellectual property, employee details or information entrusted to you by third parties.” Each asset is then assessed for risks that determine what kind of loss would ensue if these assets became threatened by hackers. Implementing security requirements to counter those risks is then determined through the lens of the ISO27k standards.


With the recent and continuing data privacy scandals, European governments are revisiting their data governance laws. The General Data Protection Regulation (GDPR), which will be binding on all EU member states, goes into effect in 2018, leaving little time for companies to get compliant.

What GDPR Means for US Companies

US companies don’t fully understand how seriously Europeans value their privacy or even what Europeans consider to be personal information. It’s not just social security numbers and credit card information. Europeans consider their names, addresses and email addresses to be personal information that companies do not have automatic rights to collect and use.

When the GDPR goes into effect in 2018, it will be applicable to every organization in the EU. Not only that, it is applicable whenever you are collecting data from a natural person in the EU, related to offering them goods or services or monitoring their behavior.

Other Key Changes Data Privacy Changes:


U.S. companies must have a data protection office (DPO). This is already required under German law.

Privacy by design

Privacy must be considered during product development. How do you implement this? How do you train developers? You might need privacy engineers, and that means hiring more employees. US companies don’t have this mindset of even paying attention to these issues. And, of course, these issues slow down the time to market. In other words: costs, costs, and more costs.

Privacy risk assessment

Whenever you implement a new process or product, you need to document how it affects the risk to personal data. This is another resource intensive rule in terms of time and cost to your business, especially when it comes to time to market.

One stop shop — Data Protection Agency (DPA)

In the past, depending on your business, you had to comply with separate regulations in different countries (UK, Germany, France, etc.). With GDPR, you have to choose one country standard (they will all be the same anyway) and establish a relationship with a local data protection authority. Every member state will have a DPA to field complaints from consumers, audit your business, answer your questions, and whom you would have to notify in the event of a security breach.

Data transfers

The GDPR limits data transfers from outside EU/EEA (European economic area). An agreement between the EU and the US called Safe Harbor used to govern data transfers between the US and the EU, but that provision was struck down in 2015. As of August 2016, companies can apply for the Privacy Shield. Based in part on the rules of GDPR, the requirements for achieving the Privacy Shield are more robust than what was required under Safe Harbor.

Data portability

Whenever a consumer wants to change to a different provider, she can ask the provider to supply the data to the new provider or ask them to delete her data.

Fines and penalties

If you’re not persuaded to revisit your data governance practices yet, consider the steep penalties. Fines for collecting or using data in a forbidden way under the new GDPR can reach €20 million or 4 percent of annual revenue. That’s not to mention the damage a violation can do to your reputation. As we said before, it’s not just an issue of breaking the law; it’s also about eroding customer confidence.


If the growth of your primary customer base is stagnating, it’s solid business advice to say that you should look for other markets in which to trade. Knowing how to protect your business will ensure that your efforts at improving your market share in key target markets will lead to more subscribers, more recurring revenue and greater customer lifetime value. Your alternative is plunging into uncharted territory without guidance, a good way to inflict your business with rising customer complaints, lawsuits and regulatory fines.

Daniela Hagen and Vincent Schwarz contributed to this blog post.