GDPR and PSD2 return the control of their personal data to consumers
With PSD2 and GDPR in force, 2018 is turning into a year of important changes.
With the regulations PSD2 (Payment Service Directive revised) and GDPR (General Data Protection Regulation) in force, 2018 is turning into a year of important changes.
These European Union regulations have a profound impact on the processes and information systems of organizations who must strive to respond to the organizational and technological challenges to ensure they comply with the requirements of these regulations.
So, what is the motivation of these regulations that, at first, can even seem contradictory?
For the European Union, the PSD2 “aims to improve the existing rules in the EU for electronic payments. It takes into account new and innovative payment services, such as mobile payments and online.”
Regarding GDPR, “it establishes the norms related to the protection of natural persons with regard to the processing of personal data and the rules related to the free circulation of such data.”
So, on the one hand, PSD2 requires banks to open their systems and share their customer data with third parties that can offer innovative payment services, and on the other hand, GDPR introduces new restrictions on the use of personal data of those same clients.
Although this seems contradictory, in practice it is not. In reality, access to personal data will depend on three key factors: trust, context and consent, but in any case, control will be in the hands of the consumer / citizen, who will decide what data they want to share and with whom.
For example, if I am out for some hours, I may need someone to take care of my children. Who can I ask for this help depends on several factors, but above all on trust. And there will be different degrees of confidence: from the direct family, which is usually maximum confidence, to day care services. In the latter case, trust usually comes from the recommendation of other subjects of greater confidence, such as family members, neighbors, friends.
The fact that a mobile application traces my location and sends information about my exact position, as a citizen, may seem beneficial to me in one case, but harmful in another, depending on the context. If I suffer a fall during a field trip and the application is able to send my coordinates to medical emergencies to send me help, it will be clearly beneficial.
These examples show that sharing personal data is neither bad nor good. Everything depends on a third factor: to do it with the right legal ground for processing, which in many occasions would be based on consent.
The GDPR regulation clearly describes in different articles (Recital 32, 42, 43 and articles 6, 7 and 8) that this consent for the processing of personal data must be explicit and informed and it specifies how it should be collected.
Clearly these regulations are not contradictory, rather they complement each other and also return citizens / consumers control of access to their personal data, as we have already seen.
Trust, context and consent in the digital environment: the role of technology
The growing dependence of society on technology makes evident the importance of properly managing the “digital identities” of citizens / consumers, especially with the new requirements to share information between different actors.
While these regulations seek to put the citizen / consumer in the center, the truth is that computer systems in general have been designed with models that are very focused on transactions. Therefore, to comply with regulations, companies must adapt their processes and systems, and adopt an identity centric security model.
Technology can help. Identity management security solutions, advanced authentication based on context and risk, security and monitoring of programming interfaces used for data exchange (API), identity federation and other security technologies will be essential to ensure that regulations are applied and implemented in the right way.
Thus, deploying identity governance solutions will help us to know who can access what information and ensure that only appropriate users can access it. The control of privileged users will make it possible to stop administrators or users with higher levels of access to the systems abusing their access rights. Advanced authentication solutions will help us protect users by ensuring that, once their identity has been reliably proven, they can exercise their rights set forth in these regulations and directives.