GDPR: Payments Sector Compliance ChallengesBritish Telecom's Swati Sharma on the Gray Areas in the Regulation
Compliance with the EU's General Data Protection Regulation, which is now being enforced, will be tougher for large organizations in the payments sector because they have huge volumes of data, says Swati Sharma, a security specialist at British Telecom.
"There is a lot to do. I believe if they try to do investigations in terms of where all data is, they may identify some unknown locations," Sharma says in an interview with Information Security Media Group. Under GDPR, it's more important than ever to know where all data resides so it can be protected to meet the regulation's requirements or deleted upon the request of consumers under GDPR's "right to be forgotten" provision. (See: GDPR: The Challenges for India's App Developers)
Sharma says certain aspects of GDPR will remain open to interpretations. "When a law is written, they try to keep it subjective so that they can cover more and more in the scope," she says. "They don't want to miss something by being objective in their language."
For example, Sharma says there is still a lot to clarify when it comes to outsourcing data to a third party.
In this interview (see audio link below image), Sharma also discusses:
- The gray areas under GDPR;
- Why a wide definition of PII is essential;
- The appropriate right risk management strategy for GDPR compliance.
Sharma is senior specialist security, PCI QSA, at British Telecom. She has more than 10 years of experience in PCI DSS, information security, HIPAA and privacy, and risk management.