You may have heard of new regulations impacting data security, payments and banking, such as GDPR and PSD2, but what does it all really mean?
How will it impact your day-to-day business, why should you pay attention to the approaching deadlines and is there anything you need to do?
I specialise in GDPR and PSD2, and I know there’s a lack of clarity around what the new regulations mean particularly for small business owners in the European Union. Let’s cut through the legalese and get to the point. Here’s a little background on both.
GDPR is the acronym for the General Data Protection Regulation, which goes into effect on 25 May 2018.
It’s a big deal because it shakes up how personal data can be stored, which impacts virtually every UK business or entity across all verticals and industries. Its aim is to:
- strengthen and unify data protection for individuals within the EU, including those who export EU personal data outside of the EU
- give EU citizens and residents back control of their personal data
- simplify the regulatory environment for international businesses by unifying regulation within the EU.
Personal data means any information relating to a person, such as their name, home address, posts on social networking websites or a computer’s IP address.
PSD2 stands for the second Payments Service Directive, which comes into effect in January 2018. PSD2 impacts banks and financial service providers for the benefit of small business owners and their customers in that it aims to:
- improve decision making for businesses
- increase buying power for small businesses
- reduce instances of failed payment
- increase competition among financial service providers, which means lower costs of banking services for small business owners.
As mentioned in the definition, this is the second directive aimed at payment service security. PSD1 went into effect 1 November 2009. PSD2 covers new services related to payments that aren’t adequately covered by PSD1, such as online payments and online account information services. I’ll spell out exactly how the PSD2 changes create those benefits later.
GDPR and PSD2: 10 key questions
Here are the top 10 things I’m asked about GDPR and PSD2 and the answers in the simplest terms.
1. Does my business have to become “GDPR certified”?
No. The GDPR doesn’t specify or mandate a particular certification system but it does encourage voluntary certification via a compliant industry organisation that has been authorised by the relevant supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK.
2. What are the consequences of breaching the GDPR?
Your business might be fined up to 4% of annual global turnover or €20m, whichever is the greater. Notably, it’s possible to breach the GDPR outside of having an actual data loss.
3. Does GDPR apply to me if my business isn’t based in the EU?
The GDPR affects any business worldwide that processes the data of individuals in the EU. In fact, if you are offering goods or services to individuals in the EU or monitoring their behaviour, you will probably need to employ a representative within the EU to handle GDPR enquiries.
Additionally, you must let the supervisory authority know in writing who this is. Many third-parties already specialise in catering for this representation requirement and can be found online. At the very least, you might make enquiries to see if this is a requirement for your business.
4. How does GDPR change the way I handle personal data?
How GDPR impacts you depends on your role in handling personal data:
- Processor – a person or entity generating personal data, i.e. a bank or payments processor
- Controller – a person or entity who uses or manages personal data, such as a small business owner who would use personal customer information to track a transaction.
As a controller, you must be able to provide consent from your customers stating they agree with how you intend to process and use the personal data.
5. How much will GDPR cost me?
Expenses for an average business are likely to include some if not all of the following:
- An ICO registration fee, payable by organisations that process personal data; this will be based on size and turnover, and will also consider the amount of personal data processed
- Audits of all processes in all departments, ideally by a qualified individual or business
- Modifications such as staff retraining and information technology adaptations
- Potentially appointing and training a data protection officer
- Setting up and maintaining continual documentation processes demonstrating compliance with the GDPR
- Voluntary certification costs, especially if your business processes data on behalf of other companies
6. How does PSD2 impact my day-to-day?
The PSD2 directive calls for financial service providers to improve the overall experience for its customers. This has spawned a dash among financial service providers to partner with technology leaders and start-up techs to develop and introduce next-level solutions.
For small and medium-sized enterprises (SMEs), this means a new wave of product offerings that eliminate common barriers to accounting, payments and banking – a new era in admin.
You’ll start to see more integrated solutions, meaning end-to-end platforms for managing money in, out and around your business. Banks will be required to pair with other financial service providers to offer streamlined services with direct access to bank feeds.
Instead of having to juggle multiple passwords between your online bank account, merchant services account and accounting software, you can access all three on one platform with real-time updates from your bank account. It’s the most thorough financial view the market has seen in decades.
7. Will PSD2 impact how I process payments?
Possibly, if you opt to offer one of the emerging instant payment methods. The integration wave has spawned new payment methods such as digital direct debit and paying directly from e-invoice, both of which automatically draft the approved funds from your customers’ account and automatically reconciles the transaction into your bank account.
8. How will PSD2 affect my business’s personal data?
Should you start a new payments and banking service with a third-party provider, your bank must give them access to your personal data.
For example, if you start an automated savings account through the new (and hypothetical) PiggyBank app to have funds drafted from your bank account to a separate, cloud-based savings account, you’ll need to explicitly give the PiggyBank app the permission to access your bank account details.
Third-party financial services will include this consent as part of the starting process.
This also means tighter restrictions on how third-party service providers access, process and retain that personal data required for their service, and only with your expressed consent.
This is driving new players in the financial services industry to develop cutting-edge security barriers to earn your trust over traditional banks.
9. What are the security requirements for third-party payment service providers to validate customer authentication?
PSD2 sets out that strong customer authentication requires payment account providers (issuers) to authenticate by combining two out of the three following elements:
- Something you are (eg fingerprint)
- Something you have (eg plastic card, or token generator)
- Something you know (eg PIN/password).
If you use mobile devices to access mobile banking, you’ll have noticed early adaptors have added fingerprint security and token generators to get you to your accounts quicker and more securely. This will now be a requirement for all providers.
10. How will I know what new services are available?
You may already notice financial service providers and banks are starting to offer new and improved services and new players entering into the market.