During the first months of 2018, the European Union will update two regulations relating to personal data and the way that it is used. The first, General Data Protection Regulation (GDPR) affects all companies that manage the data of EU citizens, regardless of sector and size. On the other hand, the new European Payment Services Directive, PSD2, which concerns the use of the data of individuals and companies (by financial institutions and third parties) also has an important role.
GDPR and PSD2: a conflict of interests and objectives?
Both regulations coincide on two important issues: on one hand, they put the consumer at the centre of things, as the effective owner of their data and, therefore, the only party that can decide what to do with the data, who can use it and for what purpose. On the other hand, they are aimed at standardising the legislation in all EU countries in order to facilitate their work, thus serving as a stimulus to the growth of the company that has resulted from progress in the digital sector. There is a third overlap: both are demanding in terms of strengthening personal data protection and privacy.
Given the overlaps and the shared objectives of both regulations it may seem that there is no reason for them to conflict with one another. However, the high fines to be faced by companies that breach the conditions of the GDPR; the fact that the application of the PSD2 (with the obligatory assignment of personal data to third parties, when authorised by its owner, by financial institutions) increases the exposure of the data, and thus the potential risk to it (at least if the prior work to implement the correct technology and supervision has not been properly carried out); as well as doubts that will arise from the day to day use of two regulations that are so recent and complex, may discourage capitalising on windows of opportunity that, in principal, the PSD2 opens up.
New data protection demands
When it comes to considering how you will overcome the challenge posed by the two new EU regulations, you need to bear in mind that the new European regulation on data protection not only demands greater rigour in terms of safekeeping and management of data, it also increases the amount of information that is considered to be personal data. Indeed, it extends it to cover any information that could result in possible identification of the person: ranging from photographs to names, email addresses, publications on social networks, belonging to unions or having a political or religious affiliation, IP addresses, biometric data, as well as banking details…
This extended protection must be reconciled with the obligation that entities will have to provide the so-called TPPs (Third Party Providers) with access, through APIs, to the information contained in the customer account, and also being able to start a payment. And there are other demands: such as the fact that the customer authorisation must be provided through “Strong Customer Authentication” (SCA). This requires identification through at least two different factors: something that the customer knows, such as an important date, something that they have, such as a mobile phone, and something that they inherently are, such as biometric information. Likewise, it has to guarantee that possible improper access to one of these aspects will not trigger a breach of the rest.
PSD2, reconciling compliance with both regulations
The PSD2 also imposes SCA for re-establishing credentials, which must be as secure as the process that we have just described. Putting the security and privacy of customer data at risk can result in significant fines. The first piece of advice for any company that may be affected by both regulations would be to plan the compliance with the two regulations jointly. This will bring you closer to overcoming the challenge that lies ahead. This is an important challenge for everyone (in terms of security, not limiting the potential growth of the digital economy, etc.) to resolve in positive way. At Unnax we are aware of this and work to help our customers to do this successfully.