Do you know the standards for security and data protection?

When your business handles payment card data or personal information from customers, two major standards come into play: PCI DSS and GDPR. Understanding what each one requires, who it applies to, and how to comply with it is essential for any organization that processes data, regardless of its size or location.

What is PCI DSS and who does it apply to?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of technical and operational requirements designed to protect cardholder data wherever it is stored, processed, or transmitted.

Alberto Molpeceres, founder of Besepa (Docuten’s payment and collection platform), explains it clearly: in the world of cards, everyone has heard about what the acronym PCI means. It is the industry standard for payment card security. It covers how you store cards, how you authenticate users, and how you protect that information throughout every transaction.

PCI DSS applies to any organization that accepts, processes, stores, or transmits payment card data. This includes:

  • Merchants of all sizes, from small online shops to large retailers
  • Payment service providers and processors
  • Banks and financial institutions
  • Any third-party service provider that handles cardholder data on behalf of another company

The standard is maintained by the PCI Security Standards Council, a body founded by the major card networks. Compliance is not optional in practice. Non-compliance can result in fines from card networks, increased transaction fees, and in serious cases, the loss of the ability to process card payments altogether.

What is GDPR and why does it matter for your business?

The General Data Protection Regulation (GDPR) is the European Union’s primary law on personal data protection. It came into effect on 25 May 2018, replacing the earlier 1995 Data Protection Directive and creating a unified legal framework across all EU member states.

GDPR governs how organizations collect, use, store, and share personal data. Its scope is broader than many businesses realize.

Who does GDPR apply to?

GDPR applies to any organization, anywhere in the world, that processes the personal data of people located in the European Union. This is a critical point: you do not need to be based in Europe to be subject to GDPR. If your business collects data from EU residents, whether through a website, an app, or a service contract, GDPR applies to you.

This international reach means that companies in Latin America, the United States, Asia, or anywhere else must comply if they serve or target EU-based individuals.

What counts as personal data?

Under GDPR, personal data is any information that relates to an identified or identifiable natural person. This is a wide definition that includes:

  • Names, email addresses, and phone numbers
  • IP addresses and cookie identifiers
  • Location data
  • Financial information
  • Health and biometric data
  • Professional and employment records

Data processing refers to any operation performed on personal data, including collecting, storing, modifying, sharing, or deleting it. Even simply viewing a record in a database counts as processing.

Data controllers and data processors: what is the difference?

GDPR distinguishes between two key roles:

  • Data controller: the organization that determines why and how personal data is processed. For example, a company that collects customer data through its website.
  • Data processor: a third party that processes data on behalf of the controller. For example, a cloud storage provider or a payroll management platform.

Both roles carry legal obligations under GDPR. Controllers must ensure they have a lawful basis for processing, and processors must handle data only according to the controller’s documented instructions.

What is the broader EU data protection legal framework?

GDPR is the most well-known regulation, but it sits within a larger legal structure:

  • GDPR (Regulation 2016/679): the main regulation for general data processing by private organizations and most public bodies.
  • Law Enforcement Directive (LED, Directive 2016/680): covers the processing of personal data by police and criminal justice authorities for law enforcement purposes.
  • EUDPR (Regulation 2018/1725): applies to EU institutions, bodies, offices, and agencies when they process personal data.

At the national level, each EU member state has a Data Protection Authority (DPA) responsible for enforcing these rules. In Spain, this body is the Agencia Española de Protección de Datos (AEPD). At the European level, the European Data Protection Board (EDPB) coordinates consistency across all national authorities.

What rights do individuals have over their personal data?

One of GDPR’s most significant contributions is the set of rights it gives individuals over their own data. Businesses must be ready to respond to requests exercising any of these rights, typically within one calendar month.

  • Right of access: individuals can request a copy of the personal data an organization holds about them.
  • Right to rectification: individuals can ask for inaccurate or incomplete data to be corrected.
  • Right to erasure (“right to be forgotten”): individuals can request deletion of their data in certain circumstances, for example when it is no longer needed for its original purpose.
  • Right to data portability: individuals can request their data in a structured, commonly used, machine-readable format to transfer it to another provider.
  • Right to restrict processing: individuals can ask an organization to pause processing while a dispute is resolved.
  • Right to object: individuals can object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making: individuals have the right not to be subject to decisions based solely on automated processing that significantly affect them.

Businesses must have clear internal procedures to identify, log, and respond to these requests on time. Failure to do so is itself a breach of GDPR.

What are the penalties for non-compliance?

The consequences of failing to comply with GDPR can be severe. The regulation establishes a two-tier fine structure:

  • Tier 1: fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. These apply to less serious infringements such as failing to maintain proper records of processing activities.
  • Tier 2: fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. These apply to the most serious violations, including breaches of the core data protection principles or individuals’ rights.

Beyond fines, organizations may also face enforcement orders requiring them to stop processing data, reputational damage, and civil claims from affected individuals.

For PCI DSS, non-compliance penalties depend on the card network and acquiring bank, but can include fines ranging from thousands to hundreds of thousands of euros per month, plus the risk of losing payment processing capabilities entirely.

What compliance steps should organizations take?

Complying with GDPR and PCI DSS requires a structured approach. Here is a practical starting point for most organizations:

  • Map your data: identify all personal data you collect, where it comes from, where it is stored, who has access, and how long you keep it.
  • Establish a lawful basis for each processing activity: GDPR requires a valid legal basis, such as consent, contract performance, legal obligation, or legitimate interest.
  • Review and update your privacy notices: inform individuals clearly about how their data is used, in plain language.
  • Assess third-party processors: if you use external providers that handle personal data (such as payroll platforms, CRM systems, or digital signature services), ensure they have appropriate data processing agreements in place.
  • Set up processes for data subject requests: define who is responsible for handling requests and ensure they can be fulfilled within the legal timeframe.
  • Implement a data breach response plan: GDPR requires most personal data breaches to be reported to the relevant DPA within 72 hours of discovery.
  • Document everything: GDPR requires controllers to maintain records of processing activities. Documentation is your first line of defence in any regulatory inspection.
  • For PCI DSS: work with a qualified security assessor (QSA) to determine your compliance level and identify gaps in your cardholder data environment.

What should small and medium-sized enterprises prioritize?

GDPR applies to businesses of all sizes. However, some obligations are scaled for smaller organizations. For example, companies with fewer than 250 employees are generally exempt from the obligation to maintain written records of processing activities, unless the processing is regular, involves sensitive data, or poses a risk to individuals.

That said, SMEs still need to meet the core requirements. The areas that most commonly affect smaller businesses include:

  • Customer and employee data management
  • Use of third-party tools (email marketing platforms, CRM systems, cloud storage) that process personal data on their behalf
  • Cookie consent and website privacy policies
  • Handling of payment card data if they accept card payments directly

The most practical first step for an SME is to conduct a simple data audit: list every type of personal data you hold, where it is, and what you do with it. From there, you can identify which obligations apply and tackle them in order of risk.

What technical and security measures help protect personal data?

Both GDPR and PCI DSS require organizations to implement appropriate technical and organizational measures to protect data. In practical terms, this means:

  • Encryption: encrypt personal and payment data both in transit and at rest. This ensures that even if data is intercepted or accessed without authorization, it cannot be read.
  • Access controls: limit access to personal data to those employees who genuinely need it to do their jobs. Use role-based permissions and enforce strong authentication, including multi-factor authentication for sensitive systems.
  • Data minimization: collect only the data you actually need for the stated purpose. The less data you hold, the smaller your exposure in the event of a breach.
  • Regular security assessments: conduct vulnerability scans and penetration tests to identify weaknesses before attackers do.
  • Pseudonymization: where possible, replace identifying information with artificial identifiers so that data cannot be attributed to a specific person without additional information held separately.
  • Audit logs: maintain records of who accessed what data, and when. These are essential for both compliance audits and breach investigations.
  • Staff training: most data breaches involve human error. Regular training on data handling, phishing awareness, and incident response reduces this risk significantly.

Platforms that hold ISO 27001 certification or operate under recognized security frameworks provide an additional layer of assurance that technical controls are in place and regularly reviewed.

How does digital document management relate to data protection?

As Alberto Molpeceres notes, even in everyday payment and collection operations, you are often receiving a significant volume of customer information without necessarily being aware of it. In most cases this falls within the lawful treatment of data needed to provide the service. But when you start creating detailed customer profiles or using that data for purposes beyond the original transaction, you enter territory that needs careful consideration under GDPR.

This is equally relevant for organizations that handle signed contracts, invoices, HR documents, and logistics records. Each of these document types typically contains personal data. The way you store, transmit, and archive them must comply with data protection obligations.

Electronic signature solutions and e-invoicing platforms that are built around legal compliance, such as those offered by Docuten as a Qualified Trust Service Provider, incorporate data protection requirements into their architecture by design. This reduces the compliance burden on businesses and ensures that digital processes meet the necessary legal standards.

If you want to understand how Docuten manages data security and legal compliance in its document certification services, or if you need help aligning your document processes with GDPR and PCI DSS requirements, do not hesitate to contact us. We are happy to walk through the specifics with you.

Mónica fustes - Marketing Manager en Docuten

A specialist in Corporate Communication and Advertising, Mónica leads Docuten’s marketing strategy with a clear and straightforward approach. Her experience in simplifying technical and regulatory concepts ensures that key industry information reaches users in a clear, professional, and accessible manner.

🔗 Connect on LinkedIn