PSD2 and GDPR: Protecting our personal data

2018 is set to be a transformative year for Europe’s digital economy. Both GDPR (General Data Protection Regulation) and PSD2 (Payments Services Directive) will pass into law in 2018, prompting a complete overhaul of the way businesses approach their customer data.

As the digital economy continues to grow, the EU now faces a new responsibility to ensure personal data is being managed correctly and responsibly by the businesses that operate within its borders. By developing GDPR and PSD2, the EU hopes to actively enforce data protection rules and develop a fairer platform for data protection that supports consumers and businesses alike.

But achieving this isn’t as simple as it first appears. While GDPR will protect consumer privacy, PSD2 will give third parties access to customer data. Two contradictory motives that suit very different audiences:  customers and businesses.  Banks are already grappling with the technicalities of these regulations and the financial sector especially will face significant disruption. But what do these regulations actually mean for businesses and their customers?

The new regulations come into effect in two stages next year. The first one, PSD2, will launch in January 2018 and allow third parties to access anonymised customer banking data. The regulation is designed, in part, to ignite innovation and create a level playing field for financial disruptors and service providers to bring their services to the consumer marketplace. In theory, it will help foster direct competition with banks by giving service providers the ability to interact with banks’ customers.

But with the arrival of new digital services like these, comes new concerns around the security of the personal data they rely on. According to Unisys, UK consumers have reported a 40 percent increase in security concerns since 2014. Identity theft is one of these key worries, with half of respondents saying they were concerned about the safety of their personal data.

PSD2 will look to address these fears by improving the security of new and existing services, and making strong customer authentication mandatory. For both banks and service providers, this will further expand the reach of two-factor authentication, where users authenticate themselves using something they have, such as a smartphone, and something they know, like a PIN or a password.

Then there is GDPR, which will become law a few months later in May 2018. GDPR will establish a tighter standard for how companies are processing, securing, and reporting customer data.

Reaping the benefits of a digital economy

Unlike previous legislation, any organisation that holds or processes data on EU citizens will have to conform with GDPR, regardless of where they are based. Gone are the days when the regulation would only apply to those companies headquartered in the EU. In reality, the new legislation means almost every website and app in the world will be required to comply with GDPR. 

On one hand, the benefits are obvious. GDPR will require organisations to take a more sophisticated, considered approach when it comes to capturing data from their customers and ensure it is processed correctly. However, at the same time, the cost of non-compliance will be high. Organisations that breach the regulation could face fines of up to 4 per cent of their global turnover. It’s a significant penalty. 

Bringing these two regulations together is crucial to ensure businesses and customers can reap the benefits of the booming digital economy. But doing so presents a challenge.

The key is consent. To stay compliant with GDPR, third parties will only be able to access customer data when the consumers has agreed to share it. But how can customers prove they are who they say they are and trigger customer consent? 

If banks aren’t completely certain where a request has come from, then the sensible approach is to decline it to minimise the risk of fraud. But under the new regulation, banks could be in violation of PSD2 if they decline a request from a service provider. In the worst-case scenario, when a data breach takes place, they could also become liable under the rules of GDPR. How can these regulations be brought together to ensure a seamless experience for banks, service providers, and their customers?

One solution is collaborating with mobile operators. With customer consent, operators can leverage a variety of user data such as location, account and usage history in order to help verify transactions. With this information, operators can ensure the customer is really who they say they are, without inconveniencing them with multiple checks and verifications. The GSMA is already working with leading mobile network operators to roll out such a solution. Mobile Connect is an operator-based authentication service that allows customers to authenticate themselves, authorise transactions, and provide consent to the validation or sharing of their data. 

Minimising risks

Mobile authentication is secure and extremely convenient, which is essential for keeping customers happy and empowering them to have better control of their data. The majority of us now carry smartphones around with us, making two-factor authentication simple as the object we need to ‘have’ is already in our hands. Possession of a mobile phone can be combined with a ‘known’ piece of information, such as a PIN, or biometrics, such as a fingerprint. With these two factors, banks can easily and accurately verify the identity of the person trying to access a service.  

Partnering with mobile operators can also help minimise the risk of account takeover fraud, which is especially helpful for banks.  If someone tries to change the mobile number associated with a bank account, the operator can determine if the original mobile number is still in use. If it is, account takeover is likely, and the operator can use the original number to alert the customer to these suspicious changes to their personal details. 

When banks and operators combine their knowledge and expertise, they can create a secure environment for transactions that also offers greater revenue generation opportunities. 

There can be no doubt that GDPR and PSD2 will drive huge changes in the world of personal data and disrupt the way our digital economy operates. But with mobile authentication, we can ensure data is kept safe and secure for businesses and consumers. 

Marta Ienco is Head of Governments and Regulatory Affairs for the Identity program of the GSMA
Image source: Shutterstock/alexskopje

Topics

eu