Sage Advice UK

What are GDPR and PSD2? 10 things businesses want to know

GDPR and PSD2 are coming - are you ready for them?

You may have heard of new regulations impacting data security, payments and banking, such as GDPR and PSD2, but what does it all really mean?

How will it impact your day-to-day business, why should you pay attention to the approaching deadlines and is there anything you need to do?

I specialise in GDPR and PSD2, and I know there’s a lack of clarity around what the new regulations mean particularly for small business owners in the European Union. Let’s cut through the legalese and get to the point. Here’s a little background on both.


GDPR is the acronym for the General Data Protection Regulation, which came into effect on 25 May 2018.

It’s a big deal because it shakes up how personal data can be stored, which impacts virtually every UK business or entity across all verticals and industries. Its aim is to:

Personal data means any information relating to a person, such as their name, home address, posts on social networking websites or a computer’s IP address.


Need help with meeting your GDPR obligations and making sure your businesses processes are working in the correct way? Here's what you need to know.

Find out more


PSD2 stands for the second Payments Service Directive, which came into effect in January 2018. PSD2 impacts banks and financial service providers for the benefit of small business owners and their customers in that it aims to:

As mentioned in the definition, this is the second directive aimed at payment service security. PSD1 went into effect 1 November 2009. PSD2 covers new services related to payments that aren’t adequately covered by PSD1, such as online payments and online account information services. I’ll spell out exactly how the PSD2 changes create those benefits later.

GDPR and PSD2: 10 key questions

Here are the top 10 things I’m asked about GDPR and PSD2 and the answers in the simplest terms.

1. Does my business have to become “GDPR certified”?

No. The GDPR doesn’t specify or mandate a particular certification system but it does encourage voluntary certification via a compliant industry organisation that has been authorised by the relevant supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK.

2. What are the consequences of breaching the GDPR?

Your business might be fined up to 4% of annual global turnover or €20m, whichever is the greater. Notably, it’s possible to breach the GDPR outside of having an actual data loss.

3. Does GDPR apply to me if my business isn’t based in the EU?

The GDPR affects any business worldwide that processes the data of individuals in the EU. In fact, if you are offering goods or services to individuals in the EU or monitoring their behaviour, you will probably need to employ a representative within the EU to handle GDPR enquiries.

Additionally, you must let the supervisory authority know in writing who this is. Many third parties already specialise in catering for this representation requirement and can be found online. At the very least, you might make enquiries to see if this is a requirement for your business.

GDPR Guide For Accountants And Bookkeepers

As an accountant or bookkeeper, it’s important that you have a good understanding of what the GDPR means for your practice and your clients. Get up to speed with your free guide.

Download your free guide

4. How does GDPR change the way I handle personal data?

How GDPR impacts you depends on your role in handling personal data:

As a controller, you must be able to provide consent from your customers stating they agree with how you intend to process and use the personal data.

5. How much will GDPR cost me?

Expenses for an average business are likely to include some if not all of the following:

6. How does PSD2 impact my day-to-day?

The PSD2 directive calls for financial service providers to improve the overall experience for its customers. This has spawned a dash among financial service providers to partner with technology leaders and start-up techs to develop and introduce next-level solutions.

For small and medium-sized enterprises (SMEs), this means a new wave of product offerings that eliminate common barriers to accounting, payments and banking – a new era in admin.

You’ll start to see more integrated solutions, meaning end-to-end platforms for managing money in, out and around your business. Banks are required to pair with other financial service providers to offer streamlined services with direct access to bank feeds.

Instead of having to juggle multiple passwords between your online bank account, merchant services account and accounting software, you can access all three on one platform with real-time updates from your bank account. It’s the most thorough financial view the market has seen in decades.

7. Will PSD2 impact how I process payments?

Possibly, if you opt to offer one of the emerging instant payment methods. The integration wave has spawned new payment methods such as direct debit and paying directly from e-invoice, both of which automatically draft the approved funds from your customers’ account and automatically reconciles the transaction into your bank account.

8. How will PSD2 affect my business’s personal data?

Should you start a new payments and banking service with a third-party provider, your bank must give them access to your personal data.

For example, if you start an automated savings account through the new (and hypothetical) PiggyBank app to have funds drafted from your bank account to a separate, cloud-based savings account, you’ll need to explicitly give the PiggyBank app the permission to access your bank account details.

Third-party financial services will include this consent as part of the starting process.

This also means tighter restrictions on how third-party service providers access, process and retain that personal data required for their service, and only with your expressed consent.

This is driving new players in the financial services industry to develop cutting-edge security barriers to earn your trust over traditional banks.

9. What are the security requirements for third-party payment service providers to validate customer authentication?

PSD2 sets out that strong customer authentication requires payment account providers (issuers) to authenticate by combining two out of the three following elements:

If you use mobile devices to access mobile banking, you’ll have noticed early adaptors have added fingerprint security and token generators to get you to your accounts quicker and more securely. This will now be a requirement for all providers.

10. How will I know what new services are available?

You may already notice financial service providers and banks are starting to offer new and improved services and new players entering into the market.

GDPR webinar

Join us for a live webinar so you have a better understanding of GDPR, which came into force on 25 May 2018, and learn about how the legislation can benefit your business.

Find out more