from Hacker News

Ask HN: Would storing an irreversible card fingerprint violate GDPR compliance?

by thala on 12/4/23, 10:58 AM with 6 comments

Would it be okay to generate an store a card fingerprint using a irreversible one-way hashing lead to a violation of GDPR compliance? We are based out of the US.

I'm not able to find any specific documentation that discusses about the user consent here? Would it be a violation of privacy from a GDPR standpoint?

  • by dave4420 on 12/4/23, 11:39 AM

    What would you be using it for? You do not always need consent, e.g. if it’s necessary in order to deliver a service the fingerprint owner requested.

    Would you be able to delete the hash if the fingerprint owner asked you to?

  • by mrkeen on 12/4/23, 11:34 AM

    I considered hashing GDPR data previously in a project, and found that "one-way" hashing didn't really exist in our use case.

    If the number of possible inputs is small enough, you can just rehash them all, and then your "one-way" hash becomes two-way.

  • by mytailorisrich on 12/4/23, 11:03 AM

    This may be personal data, since payment cards are nominal, so may fall within the GDPR. But that does not means it is a "violation" and that does not mean you should lose sleep over it.