On this page…

Data Protection

Current Data Protection Legislation

im-vault-transUnder current Data Protection legislation, anyone who processes personal data1 must comply with the requirements of this law. In practice this means almost every organisation of any type and yet, despite this broad scope, many organisations do not take active steps to comply.

There are eight principles of data protection. Data must be:

  1. Fairly and lawfully processed
  2. Obtained only for specified purposes
  3. Adequate, relevant, not excessive
  4. Accurate and kept up to date
  5. Kept only for as long as necessary
  6. Processed in accordance with the rights of the data subject
  7. Kept secure against unlawful or unauthorised processing, or accidental loss or erasure
  8. Not transferred to a country outside the European Economic Area (certain exceptions are permitted)

Several of these give rise to specific challenges in the areas of records management and general security. How, for example, does an organisation both define “as long as necessary” and then ensure that data is not kept beyond that span? And to what extent must an organisation keep data secure against unlawful processing or loss?

Of course, loss and unauthorised processing, for example by an attacker who manages to break in and steal data, can never be ruled out, but an organisation which can demonstrate that it has taken adequate and proportionate steps to protect data and has still suffered such a loss is  in a much stronger position than one which has suffered loss and can not provide evidence of appropriate security strategies.

Cardinia works with its clients to answer these and similar questions and to devise a strategy to assure demonstrable compliance with Data Protection law.


The General Data Protection Regulation (GDPR) is a European law due to be enforced in the UK from May 2018.

The main practical differences between current Data Protection legislation and GDPR are a) that the responsibilities of Data Processors have been greatly extended, b) that breaches must be notified within 72 hours and c) that fines are greatly increased to 4% of global turnover or €20 million, whichever is greater. If you are a Data Processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach.

This is particularly relevant to Cardinia clients who provide data processing services to third parties and whose responsibilities as Data Processors are currently more modest in scope.



cardswiperPCI DSS, the Payment Card Industry Data Security Standard, is an information security standard for organisations which accept payment via payment cards2 from the major card providers including Visa, MasterCard and American Express.

Compliance is not mandatory, but card providers can censure merchants in the event of security breaches and such censure can include fines or termination of merchant service accounts, which could be highly disruptive to businesses where a significant proportion of payments are made via cards.

What we do

Companies handling small volumes of transactions are permitted to self-certify through the use of a Self-Assessment Questionnaire (SAQ). Several different SAQs are available to cover different types of use, the intention being to simplify the process for most smaller merchants.

Sadly, it is not infrequently the case that merchants have card usage patterns which straddle two or more SAQs and, in these circumstances, it may be necessary to fall back on the “catch-all” SAQ D. The challenge to organisations wishing to self-certify PCI DSS compliance is similar to that posed by Cyber-Essentials. Cardinia helps its clients by identifying where “not applicable” is an acceptable answer, by correctly interpreting the intent behind the often very technical questions, so that clients are not led into the implementation of expensive and unnecessary technical upgrades, and by identifying any residual weaknesses and solutions to address them. This enables our clients to self-certify with confidence.

  1. Personal data is defined as information which relates to a living individual who can be identified either from the data or from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Paper records, as well as computer records, are included. 

  2. Most credit and debit and some pre-pay cards.