Ask HN: Would storing an irreversible card fingerprint violate GDPR compliance?
Would it be okay to generate an store a card fingerprint using a irreversible one-way hashing lead to a violation of GDPR compliance? We are based out of the US.
I'm not able to find any specific documentation that discusses about the user consent here? Would it be a violation of privacy from a GDPR standpoint?
6 comments
[ 5.0 ms ] story [ 28.2 ms ] threadAs said, this info may be personal data. SO why do you want to store it? If it's for security/fraud prevention you should look for a carve out (legitimate interest, etc) that would allow you to store it without explicit consent and would possibly also allow you not to delete it on request. In which case, you would be able to simply stipulate in your T&Cs/privacy policy that you are collecting that info for that specific reason, for that specific period of time (all of which should be reasonable).
If the number of possible inputs is small enough, you can just rehash them all, and then your "one-way" hash becomes two-way.
Would you be able to delete the hash if the fingerprint owner asked you to?