In a response (4-page / 224KB PDF) to a Treasury consultation on the implementation of the revised EU Payment Services Directive (PSD2) in the UK, the ICO urged firms involved in facilitating open banking to engage with it on the project, and highlighted the potential open banking has for aiding compliance with the General Data Protection Regulation (GDPR).
“We encourage industry to maintain an open dialogue as it designs and implements an open API standard,” the ICO said. “The information commissioner views open banking as a key way in which individuals’ rights to data portability under article 20 of GDPR may be given practical effect, and it should therefore help financial institutions meet their data portability obligations.”
Under the GDPR, data controllers must make the personal data they possess available to consumers in “a structured, commonly used and machine-readable format” so that those consumers can share that data with rival companies “without hindrance” and to provide that data direct to other businesses at the request of consumers where it is “technically feasible”.
Those data portability obligations only apply to data controllers that process personal data based on customer consent or to perform a contract involving the data subject and if the processing takes place by “automated means”.
The data portability obligations will apply from 25 May 2018 when the GDPR takes effect. However, banks and other businesses in the payments market face further new regulation under PSD2 and the UK’s open banking initiative. Open APIs are seen as an enabler of both open banking and the PSD2 reforms.
The Competition and Markets Authority (CMA) has mandated the establishment of new standards that will allow businesses and consumers to share their own transaction data from their current accounts with other banks and third parties and to manage multiple providers through a single app.
Under PSD2, banks and other PSPs will be obliged to enable access to their accounts by third parties acting on the request of customers. The move is aimed at supporting the growth of payment initiation service providers (PISPs) and account information service providers (AISPs) – such as businesses that allow customers to access information from their payment accounts in one place – which have emerged into the payments market in recent years as technology has advanced.
In its consultation response, the ICO referred to the data security obligations that businesses in the payments market will have under PSD2, including the regulatory technical standards on strong customer authentication and secure communication which have been developed by the European Banking Authority (EBA).
National laws implementing PSD2 will come into effect from 13 January 2018. However, certain provisions on security, and the standards on strong customer authentication and secure communication, will not apply until the autumn of 2018. The ICO reminded firms in the payments market, though, that they will still face obligations on data security during the transitional period before the PSD2 security measures and standards on strong customer authentication and secure communication take effect.
“Both the DPA (UK Data Protection Act) and GDPR require organisations to take appropriate technical and organisational measures to protect the security and integrity of any personal data that they process,” the ICO said. “Payment service providers therefore need to ensure that they have adequate systems in place to protect the security and integrity of the personal data they process as soon as they begin processing this data.”
“We would agree that as the draft RTS (regulatory technology standard) is now available, systems and procedures should be designed in line with the RTS wherever possible in order to ensure minimal disruption when the RTS eventually comes into force. We are keen to ensure that the provisions of PSD2 are implemented in a way that is harmonious with, and complements, data protection requirements. To this end, we will continue to engage with HM Treasury, the Financial Conduct Authority, industry bodies and other relevant stakeholders about this matter,” it said.
The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.
Part 1 of this GDPR Series is brought to you by FIDAL, a French law firm. Subsequent blog entries in this series will be brought to you by the law firms of Mills & Reeve, Graf von Westphalen (Germany) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).
GPDR Effective Date & Geographical Scope of Application
The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures – which means that any personal data processing ongoing at this date must comply with the GDPR. This leaves one year for companies to ensure compliance.
The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour.
Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:
- Changes to internal processes to comply with the accountability rules
In order to effectively manage personal data protection within your business, an individual should be nominated to take charge of information and counsel, as well as organization of personal data activities. For many organisations, it will make sense to appoint a Data Protection Officer or "DPO" as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (public bodies, large scale monitoring and large scale processing of criminal convictions etc). In any event, an audit of personal data held and processing undertaken makes sense.
The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritized in the light of risks to data subjects’ rights.
In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules and keep these records available to respond to an inspection by state authorities.
- Promoting a risk-based approach
If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a Privacy Impact Assessment (PIA).
In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.
Data protection safeguards shall be built into products and services from the earliest stage of development ("Privacy by Design"), making use of techniques such as pseudonymisation and encryption.
- Data transfers
Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU.
- Agreements between data controllers and their subcontractors
Data controllers’ agreements with their subcontractors agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas such as record-keeping and security, separately from the obligations on data controllers.
- A single data protection authority
In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.
- Negative impacts in case of a legal breach
Whereas the existing EU legislation (Directive 95/46/EC) leaves to Member States the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of 20 million Euros, and 4% of annual global turnover.
In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.
The adoption of open banking could help payment service providers (PSPs) meet their obligations under new EU data protection laws, the UK’s Information Commissioner’s Office (ICO) has said.
The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we…
Cloud technology has become critical to operations in many organisations. Providing an agile environ…
Have you heard the news? In an ongoing attempt to fight back against those wishing to do financial h…