top | item 38515831

Ask HN: Would storing an irreversible card fingerprint violate GDPR compliance?

1 points| thala | 2 years ago

Would it be okay to generate an store a card fingerprint using a irreversible one-way hashing lead to a violation of GDPR compliance? We are based out of the US.

I'm not able to find any specific documentation that discusses about the user consent here? Would it be a violation of privacy from a GDPR standpoint?

6 comments

dave4420|2 years ago

What would you be using it for? You do not always need consent, e.g. if it’s necessary in order to deliver a service the fingerprint owner requested.

Would you be able to delete the hash if the fingerprint owner asked you to?

thala|2 years ago

Yes we would have to provision to delete it upon request. We are looking to use this for fraud risk management.

mrkeen|2 years ago

I considered hashing GDPR data previously in a project, and found that "one-way" hashing didn't really exist in our use case.

If the number of possible inputs is small enough, you can just rehash them all, and then your "one-way" hash becomes two-way.

mytailorisrich|2 years ago

This may be personal data, since payment cards are nominal, so may fall within the GDPR. But that does not means it is a "violation" and that does not mean you should lose sleep over it.

thala|2 years ago

Okay, does the regulation vary upon different regions?