If your company is one of the many that can take advantage of the benefits of the entry into force of the European revised Payment Services Directive, PSD2; and if you are also farsighted and have taken the measures to adjust to it, you are ready to face another European regulation that could have a significant impact on your business: General Data Protection Regulation known as GDPR.
Although in principle, these regulations are not directly linked, they do converge. While it is true that in order to have to observe GDPR it is not necessary to belong to the financial or FinTech sector (the regulation is mandatory for any company that stores, processes, has access to, transfers or discloses the data records of European Union citizens), it is also true that, within this sector, the almost simultaneous implementation of both regulations is going to have significant consequences on the operational rules that companies must apply.
GDPR: what do we need to know?
GDPR is the name given to European Regulation 679/2016 on Data Protection, which, following a two-year moratorium on its application, will become mandatory on 25 May (that is why we are talking about how both regulations are almost simultaneous, as the transposition period for the revised payment services directive by the different countries ended in January).
What are the origins, and the intention, of the new data protection regulation? Until now, there was no uniform regulation in relation to data protection throughout the EU. Thus, as was the case with PSD1 and 2 with payments, the GDPR is aimed at standardising legislation across the European Union (this will benefit businesses in the EU as they will be able to operate throughout the territory by complying with shared regulations).
That is not all. Current data protection legislation dates back to before the digital revolution that we are experiencing, and which has led to exponential growth in the data that a large number of companies (for example, the Internet giants and social networks, such as Google and Facebook, as well as many others, including SMEs) handle from their users. This data is not always provided with sufficient knowledge of the implications of its assignment; and often it is not properly managed or protected. For this reason, the Regulation will make it mandatory to maximise the protection measures for the data of third parties. It seeks to ensure client security, as well as their trust in digital transactions, as a means of supporting new forms and ways of business.
PSD2 and GDPR: shared or opposing aims?
We said that PSD2 had been established to provide greater openness, transparency and competitiveness, by encouraging Open Banking and providing third parties with access to the data of the customers of financial institutions; and on the other hand, we are saying that the European Regulation on Data Protection aims to limit how businesses (as well as third parties that we mentioned) use the data of their customers and consumers. So, is GDPR a shot in the foot for PSD2? This does not have to be the case, although the practical application of both regulations will entail some difficulties and adjustments in the future.
As we stated, ultimately, both regulations share one identical objective: to recognise the consumer as the sole owner of their personal data, and in accordance with this recognition, enable them to be the one who decides how that data can be used and with whom it can be shared. At this point, those who are familiar with the initial steps of PSD2 already know that the access of a third party (known as TPPs) to the account of a banking customer should only be permitted with the authorisation of the customer.
Likewise, nor does PSD2 forget about data security, with the provision of measures such as Strong Customer Authentication (SCA). However, as we already mentioned, the challenge for companies in the near future will be to reconcile both regulations and their legitimate aspirations. Some companies, such as Unnax, have been working for a long time now to overcome this challenge and also make it easier for our customers to do so too.