Across the acres of coverage around General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2), some subtleties have been largely overlooked. One of them is the interaction between the two when it comes to the new subject access rights.
This article was contributed by Andrew Churchill, Vice Chair for Funding and Business Development, European Alliance for Innovation.
Under General Data Protection Regulation (GDPR) and the U.K.’s Data Protection Bill, individuals have the right to access their personal data. Organizations, meanwhile, have an obligation to check the identify of any person making such a request before releasing that data or, indeed, accepting explicit consent to process their data.
Neither GDPR nor the Data Protection Bill currently prescribe how that authentication should be done, only that businesses should log that they have done so “so far as possible,” as the bill puts it. It’s unclear what that means in practice. We are working towards an accepted definition of what strong customer authentication may look like. (I’m lead author of the British Standards in Digital Identification and Authentication.) But we are not there yet.
There is one place where standards for authentication are already defined, however: in PSD2. While it may be impractical to fully apply those standards to online retailers or utilities companies, they are the standards expected of financial services. It seems logical, then, that PSD2’s authentication requirements will be those applied to financial services dealing with GDPR.
In the U.K., far from being undermined by Brexit, that’s reinforced. Although EU regulations (as opposed to directives) apply directly to member states, the U.K. has sought to promote certainty by writing the requirements of GDPR into the Data Protection Bill. However, the bill is also seeking to align with the Network Information Systems (NIS) Directive, which increases the technical security requirements for critical national infrastructure, such as utilities companies. The U.K.’s approach has therefore seen the tougher standards of NIS leach into its application of GDPR for these businesses.
Payments, though part of critical infrastructure, have an exemption from these requirements, but only on the basis that stronger sector-specific security standards for these companies already exist—in this case, those under PSD2.
The end result is that with the advent of GDPR, all organizations must be able to authenticate customers for the purposes of subject access requests and explicit consent; critical national infrastructure, meanwhile, will have to go further under the NIS rules and employ stronger standards. However, there are financial services companies exempt from NIS because they are subject to even stronger standards under PSD2. But if “best practice” for financial services is required for transactions above 30, surely access to other data, such as medical records or our online profiles, should be at least as well-protected.
It all adds up to a considerable workload facing financial services businesses come May. Many are still getting to grips with the requirements of PSD2, but if security standards, such as the forthcoming British Standard, can have wider application, then there will be additional business opportunities for those organizations that best meet this challenge. Identity as a service could truly come of age in 2018.