GDPR vs PSD2: a challenging contradiction or two sides of the same coin?

Laura Cooper, DataRaze: PSD2 and GDPR have a great deal in common

On the face of it, the General Data Protection Regulation (GDPR) and the evised Payment Services Directive(PSD2) are introducing entirely contradictory requirements on the financial services industry. While GDPR seeks to enforce greater restrictions on businesses by forcing them to increase data protection and destruction processes, PSD2 seeks to breakdown the historical boundaries of one of the UK’s oldest traditional sectors by championing the idea of “open banking” and the sharing of customer information to help promote better tech based products and services.

But are GDPR and PSD2 really that dissimilar and incompatible? Or do these regulations actually combine to create a robust security, data protection and destruction mind set within a more agile and customer centric financial sector? Laura Cooper, client services director at DataRaze, discusses a new era of consumer rights and corporate accountability.

Out of sight, out of mind – out of pocket!

Forget the fate of the Bitcoin or currency volatility; it is arguably regulatory change that is set to be the landmark event for the financial services sector in 2018. The introduction of PSD2, alongside the UK specific requirements of the Competition and Markets Authority (CMA), calls time on the previously closed shop of traditional banking. Under the new “open banking” model, financial services organisations must now open their IT systems to third parties to enable new service provides to deliver innovative payment and account consolidation services.

Of course, PSD2 is not the only regulatory upheaval in 2018; May sees the introduction of new data protection legislation across Europe. In contrast to the open approach of PSD2, GDPR aims to unify and strengthen data privacy laws, formalising concepts such as the ‘right to be forgotten’ and giving EU citizens greater control over their personal data online. It also requires that businesses take a more considered approach when it comes to capturing and processing customer data.

For traditional financial services organisations wrestling with the challenges of compliance within an ageing legacy technology environment, the implications of both regulations are incredibly significant: while PSD2 is set to introduce unprecedented competition – competition that is predicted to cost UK banks up to 43% of their retail payments based revenues by 2020 according to Accenture – it also raises huge concerns regarding the safety, security and privacy of customer data. With the maximum penalty associated with GDPR hitting 4% of global turnover or €20 million, organisations cannot afford an ‘out of sight, out of mind’ attitude to securing and managing the new data lifecycle.

Consumer rights

It is important to understand the underpinning concept that links these two regulations: improved consumer rights. While PSD2 is about opening banking and enabling new, innovative, fintech companies to deliver a raft of compelling services to consumers, GDPR is about giving consumers more control over their data. This includes the right to be informed about how organisations use personal data and the right to request that personal data be deleted or removed if there is no compelling reason for an organisation to carry on processing it. Plus, GDPR introduces the right of data portability: a consumer’s right to obtain and port personal data for their own purposes across different services.

One of the benefits of regulatory demands is, typically, clarity of requirements. And certainly when it comes to GDPR, the EU has laid out very clear expectations when it comes to the way organisations should collect, process and retain customer data. Businesses will have to report data breaches that pose a risk to individuals to the Information Commissioner’s Office (ICO) and, in some cases, the individual affected. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have that consent if they rely on it for processing data. A pre-ticked box will not be valid consent.

The PSD2 requirements, however, have been less clear. The Regulatory Technical Standards (RTS) were only ratified this summer and while open banking is introduced in January 2018, banks have until October 2019 to achieve full technical compliance, creating a risk of fragmented compliance activity and consumer confusion. In the UK, however, the CMA’s business and technical standards have been clarified for some time, providing organisations with a clear roadmap that includes secure processes for new payment initiation services, including strong user authentication.

Common ground

However, in the rush to meet high profile cyber security risks, organisations cannot afford to overlook one of the most critical issues – data destruction; especially data held on end of life equipment. This is particularly key given the growth in innovative new services and products that will be enabled by the use of application programming interfaces (API) under PSD2, developments that could well accelerate the decommissioning of legacy equipment.

To both meet the needs of CMA and GDPR, it will be essential to ensure that data is safely destroyed – a process that will need a full audit trail and incontrovertible verification. One option is to use a third party IT asset disposal (ITAD) company to undertake the disposal. But GDPR demands both organisations are fully compliant – and that means looking for an unbreakable chain of custody and strong proof of disposal. The contractual agreement must therefore cover all areas of jurisdiction, including processes and standards; plus full proof of destruction – such as video evidence.

Alternatively, financial services companies can take control in-house and use physical data destruction technology that provides proof of destruction evidence. With a hard disk shredder on site, a company can achieve complete data control by ensuring redundant or failed drives are immediately destroyed. A strong internal chain of custody can be imposed, while the audit trail is achieved by ensuring each drive to be shredded is recorded in the system via the serial number, rack number/location, drive make/model and the date/time of failure. A photograph of the hard drive and a video of each shred can also be added to provide full confirmation of the data destruction to any internal or external auditor.

2018 brings uncertainty

The financial market is facing an unprecedented shift in 2018 – one that will both transform consumer rights and demand new levels of corporate accountability. While PSD2 opens the door to new players, often app-based companies which have the agility to reach out to consumers with compelling new products and services, GDPR gives regulators new levels of enforcement that should introduce a new approach to data privacy.

And not before time: the last ICO survey found 75% of adults in the UK don’t trust businesses with their personal data. PSD2 and GDPR, in fact, have a great deal in common – and it comes back to delivering better services that prioritise consumer privacy, an approach that will go some way to rebuilding consumer trust, trust which has tangible commercial value.

As the ICO’s Elizabeth Denham, stated earlier this year, “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and, over time, this can play more of a role in consumer choice.”