GDPR: how does it connect with PSD2? 5 most important law changes and its consequences for banks.

New law on personal data protection enters into force as early as May 25, 2018. The main purpose of the European Union’s General Data Protection Regulation is to protect EU citizens from their privacy and data violating in a world that is significantly different from the one in which the previous directive was established (1995). The key principles regarding data privacy are still in line with the older regulation. However, there are many cases that aim to adjust the law to digital reality we are living in. 

The regulation includes terms such as “data minimization“ or “pseudonymisation“. New, detailed definitions are introduced, such as of controlling and supervising units or the function of Personal Data Inspector. There are many new obligations imposed on the central authorities of the Member States and on entrepreneurs and all entities that at least minimally process personal data. In addition, the GDPR provides high penalties for non-compliance. And, the time left is short. 

• Pseudonymisation – means processing of personal data in a way that it can no longer be attributed to the specific data subject without the additional information use. Such extra data must be kept separate and covered by technical and organizational measures that prevent it from being assigned to an identifiable natural person. Pseudonymisation is a protective procedure recommended in the act. It will allow processes such as analyzing data sets (ie. Big Data), avoiding the combination of those with a behavioral or geographical meaning, with information about a specific person.
• Data minimization – one of the rules for maintaining databases of personal data, which says that it should be adequate and limited only to the purposes for which they are processed. In practice, it will not be possible to collect and process data for purposes other than those expressly authorized by the user. In addition, the storage time should be kept to a minimum. The individual administrator will decide how long the “minimum” lasts.
• Privacy by design – the directive imposes the obligation to transform design processes on all entities that will, to any extent, process personal data. From now on, privacy and personal data protection issues should prevail and be a priority in all phases of product, service or system design.At the same time, third parties’ access to these data should be as much as possible limited. If we take this into account when implementing the public API in banking systems, the applied solution (by design) should allow external access only to the part of data that is covered by the API call. Processing any other data of person using the services of the calling and transferring entity, and giving it agreement only for specific processing purposes, should not be possible.
• The right to be forgotten – it is new law’s one of the most debatable issues. Is it possible to completely erase information about us from all existing systems and databases? The opinions are divided. According to the Act, the right to be forgotten entitles the data subject to request the deletion of one’s personal data by their administrator (e.g. bank), to stop further dissemination and, consequently, to stop processing it by external entities (e.g. TPP – Third Party Providers, providers of payment or other financial services, using the bank’s public API). In such case, these entities are obliged to remove all traces of the discussed information, including links, copies of data or their replication.However, this can not prevent copying and re-sharing of information over the internet (including personal data), once disclosed to the public by private users. This is a common phenomenon, for example, in the YouTube video community service. There is even a theory concluded in “Once in the web, forever in the web” phrase, expressing the view that currently anything entered into the network, will be there forever. Given the increasing capacity of global servers and distributed storage systems, it seems to be a plausible scenario.The conditions for the deletion of your data mainly include those that are no longer relevant to the original processing purposes or, the consent of the data subject has been withdrawn. Interestingly, when considering applications for deletion, a factor such as “public interest” in terms of data availability will have to be taken into account. This may be subject to different interpretations at the national level.
• The right to limit processing – it is supplementing the previous law, which will allow individuals to reduce the processing of their data, without the need to remove them completely, eg when certain processing methods are still needed by the user. The overriding law of the “public interest” applies here too, so such data will not be deleted on demand in each case.

1. Increased territorial scope of personal data processing
   Expanded jurisdiction of GDPR will now apply to all entities that process personal data, regardless of their location. If the personal data being processed concerns European Union citizens, obviously. In the previous version of the directive it was formulated ambiguously and referred to the process of data in the context of the organization responsible for this process, which was not always established in the EU. As a consequence, this led to frequent lawsuits for data breaches. New rules introduced in GPDR will apply to the processing of personal data by EU entities, regardless of whether processing takes place in the EU or not.GDPR will also cover the processing of personal data within the Union by an administrator or processor who is not established in the Union. This will be the case when the processing concerns goods or services being offered to European citizens (regardless of whether a payment is required or not) and monitoring of their behavior in the EU (e.g. through web analytics or industrial cameras). This may apply to advertisements and marketing automation systems that track users’ behavior and, on this basis, select advertising tools. Entities that process data, even to such an extent, will have to establish their representative offices in the European Union, to meet the requirements of the Directive.
2. GDPR brings high penalties for breaching the guidelines
   Enterprises that violate the provisions of the Act may be fined up to 4% of the annual global turnover or EUR 20 million (depending on which value is higher). This is the maximum amount of the fine. It can be imposed in case of serious violations, e.g. for data processing without the user’s consent.The threat of a fine applies to both data controllers and entities processing them. Even “clouds” will not be exempt from enforcing new regulations. In the next few months thousands of companies must update their inner regulations, train staff, and introduce appropriate elements to the interfaces of their systems.GDPR particularly affects the e-commerce industry, where data acquisition and processing is an inseparable part of the purchase process. New law affects the whole ecosystem of related services (including payment or credit). It will be obligatory to indicate exactly what the acquired information will be used for. Companies will not be allowed to use one user’s permission for many purposes.At the same time, GDPR removes (from some business entities) the obligation to report databases to local personal data protection offices. Importantly, companies that process this information on a mass scale, will still have to report personal data sets Among other things, banks. Other companies will have to run for control purposes of the so-called register of processing activities, describing how and for what purpose customer data is processed.
3. Informed consent for data processing
   The conditions for granting consent have been strengthened in the law and enterprises will no longer be able to apply long, illegible conditions, written in small print somewhere at the bottom of the form. The application for consent for processing must be presented in a comprehensible and easily accessible form, with a clearly defined purpose for this processing, attached to the consent. The consent must be clearly expressed through the user’s action (automatic selection in the so-called consent boxes will not be allowed) and distinguishable from other elements of the process (e.g transactional) and presented using a simple and understandable language. In addition, to withdraw consent must be as easy for the user as to obtain it.What does this mean for business? Among other things, it will be necessary to provide communication channels for people whose data is processed by the company. And, the way of a quick response to deletion of data or limiting its processing requests.
4. Notification of personal data breach
   Notification of the infringement will become mandatory in all Member States, where it may cause a “threat to the rights and freedoms of individuals”. Information must be communicated to the relevant authorities and entities of the data breached within 72 hours from the moment the data controller learned of their breach (e.g. leakage or theft of data from the systems). The business entities that process personal data are also required to notify their clients and control authorities “without undue delay” after learning about a breach of data security.
5. The right to access to and transfer of personal data
   Part of the new, extended rights of EU citizens regarding their personal data is the right to obtain from the data controller confirmation of their personal data being processed, where and what purpose for. In addition, the data administrator is required to provide free copies of personal data in an electronic format. In terms of data transparency and empowerment of the people whose data is concerned – this is big evolution.The ability to transfer your data is no less important aspect of the GDPR. The user will be able to request the transfer of his data, previously made available in the “commonly used and readable computer format” (e.g. publication on the Internet, linked to the user’s account) and gains the right to transfer this data to another administrative entity.

Currently, data controllers are required to report their processing activities to local audit bodies. In the case of international companies is a bureaucratic nightmare! Most Member States have different requirements in this regard. 
 
Under the new regulation, it will no longer be necessary to submit notification of the fact and scope of data processing to each local authority. Nor will it be required to obtain the approval of clauses in contracts each time. Instead, there will be internal requirements for data storage and related documentation. 
 
When, as part of the processing of personal data, administrators and other entities that process these data on a large scale use regular and systematic monitoring of users whether they process categories of special data or data on convictions and offenses, they must appoint internal Data Protection Officers. It will concern e.g. large banks. 
 
The inspector would be a link between enterprise and control bodies, appointed at the local and central (EU) level. He (or she) will care about the proper protection of customers data in organization and ensure that it is properly and securely processed in accordance with the law.

The personal data administrator should apply appropriate technical and organizational measures, so the data processing takes place in accordance with the directive. And it should be able to prove it at any request of the supervisory authorities. The administrator must take into account the nature, scope, context and purposes of data processing, as well as any risk of rights or freedom violation regarding persons whose data is processed. 

The administrator will document and report any breach of data integrity or security. As a confirmation of the application of appropriate protective measures, the administrator may use approved codes of conduct or official certification mechanisms. Internal codes will help clarify the application of the principles of the directive in specific situations and cases related to the activities of the organization. The certificates will be used to temporarily confirm the administrator’s ability to provide adequate data protection and are to be finally collected in the register of the European Data Protection Board together with quality marks (having a similar role).

The data administrator may also co-administer informations with other entity on the basis of jointly developed arrangements and the scope of responsibility. In such case, such arrangements must be available to persons, whose data are subject to joint administration. Bank’s cooperation with an external solution provider for the processing of bank customers’ data, such as cloud computing, verification technologies or mailing systems may be an example here.

The administrator should closely cooperate and conduct consultations with independently functioning control bodies, especially in cases of justified concerns about proper performance of duties resulting from the act. Breach of regulations will be associated with severe financial sanctions or limiting business activities, which the directive itself describes as “deterrent”.

The above list only touches the details of this extremely important law. The fact that it was developed in the light of the introduction of other important consumer directives (such as PSD2) proves that it is time to take personal data issues with seriousness. They are one of the most valuable information resources today. Their inappropriate use may pose a threat not only to property but also to one’s health and life. The GDPR directive, like many other regulations coming into effect right now, is a response to the rapid transformation of the entire market. The GDPR is in fact the necessary legislation that protects the basic rights of the hyper-connected consumer and affects the correct implementation of other directives.

What will be the best attitude towards so many changes? Certainly one that uses the law update as an opportunity to improve existing imperfect systems and processes. And which will take care to pay double attention to recipients and their matters. In a word, the survival of the regulatory wave can be only ensured with unwavering, strategic and enthusiastic client-centeredness. 

The above list only touches the details of this extremely important law. The fact that it was developed in the light of the introduction of other important consumer directives (such as PSD2) proves that it is time to take personal data issues with seriousness. They are one of the most valuable information resources today. Their inappropriate use may pose a threat not only to property but also to one’s health and life. The GDPR directive, like many other regulations coming into effect right now, is a response to the rapid transformation of the entire market. The GDPR is in fact the necessary legislation that protects the basic rights of the hyper-connected consumer and affects the correct implementation of other directives.

What will be the best attitude towards so many changes? Certainly one that uses the law update as an opportunity to improve existing imperfect systems and processes. And which will take care to pay double attention to recipients and their matters. In a word, the survival of the regulatory wave can be only ensured with unwavering, strategic and enthusiastic client-centeredness.