PSD-2 and GDPR: the struggle for personal data starts here

PSD-2 and GDPRThe financial sector must share data, and at the same time the authority of citizens and consumers over their own data is being reinforced. With the arrival of two new, complex sets of European legislation – PSD-2 and GDPR – digital society will become even more complex. The struggle for personal data – or should we call it a data market? – starts here.

Our economy and society have been radically ‘digitized’ over the last 20 years. We communicate, work, buy and pay increasingly online. This is why the European Union started modernizing the privacy legislation in 2012. The new General Data Protection Regulation (GDPR) will come into force in spring 2018. As data does not respect national borders, the EU will replace the current ‘Directive’ of 1995 for more stringent regulations. These new regulations apply to all organizations that manage or process data, whereby this data is related to the delivery of services or products in the EU. This also relates to the monitoring of behavior (such as following website visitors).


In order to be compliant with the new regulations, organizations must document their policy, execute assessments in the field of data protection and risks, and embed data protection in all activities. Organizations are obliged to appoint or temporarily employ a Data Protection Officer who will be responsible for compliancy monitoring related to these new regulations. Another consequence is that consumer rights are strengthened. For example, consumers – called ‘data subjects’ by the EU – must be able to grant and revoke permission to use their data easily. They also gain the right to know what personal data companies possess. They can even demand data and transfer it to another ‘data manager’ – a body that will be responsible for storage and management of these data. Also the ‘right to be forgotten’ is part of this new legislation.

Member states may (for the time being) independently determine what age limit (16 or 13 years of age) they use as a threshold for independent decisions on data. These are just a few examples from the exhaustive set of regulations of which the GDPR consists.

Consumers control their own data

The core of GDPR is that consumers take control over their own data. Companies must be transparent about what they do with which data, but it also implies the ability of ‘steering’: consumers gain a great deal of possibilities to take decisions about their own data. Organizations that fail to follow the rules can expect fines that can amount to as much as 4 percent of their total annual turnover. That also applies to organizations that process data for third parties, such as general and technical contact centers or mediators.

The payment services market will open further

PSD-2 and GDPRThe second set of rules and regulations has to deal with the financial market. The new Payment Service Directive 2 will be introduced almost simultaneously with the new European privacy legislation. With PSD-2, the EU also wants to respond to the digitization of society, but then on the basis of promoting innovation and competition in banking services. Although PSD-2 is geared primarily to financial transactions, it also relates to data. PSD-2 brings, as it were, a new order to banking services. A distinction is made between services based on payment accounts (currently the domain of banks) and payment services. Banks will have to share information from payment accounts with third parties (on the condition that the consumer has granted permission for this), and third parties may initiate online payment transactions with the permission of the account holder, whereby banks are obliged to make their infrastructure available for fees that have a statutory maximum per transaction.

Everything at once

On the one hand consumers (and thereby – subject to conditions – companies) gain authority over their personal data, while on the other hand the regulations on the possession and processing of data for companies are made much more stringent. This has major consequences – companies must take action in order to implement all of the new regulations. Their marketing organization will have to prepare for new circumstances in which the possession of customer data is no longer automatic. Businesses will have to accept that they are dealing with payment service providers from the Fintech sector. Companies are forced to communicate more with their customers on how they handle data and must even anticipate consumers ‘retrieving’ their own data. In the near future, these consumers will have to take decisions on their personal data more often.

An entire series of data start-ups has now been created that offer platforms to consumers to help with the management (or even marketing) of their own data, such as DIME and Schluss. Qiy is a system for the routing of data under the direction of individuals. The difference between DIME, Schluss and the Qiy system is that implementation based on the Qiy system create a link with personal data that continues to exist elsewhere, instead of this data being in a ‘locker’ on a platform.

Data = capital

It was already clear for some time that data is an important part of business capital (even if it, similarly to intellectual capital, seldom appears on the balance sheet). Organizations are now working hard on finding out how to handle the big data issue. A new issue has now been added to this. How do you convince customers that their data is in good hands with you – e-commerce player, banking service provider, social media platform, bank, or one of the Qiy, Schluss or DIME data providers? As summarized by Paul Weiss (Accenture): it is about trust. Are banks 0-1 behind in this regard, or is the challenge primarily for all other players?

The privacy advocates have already sharpened their knives. They now also find the Dutch Financial Authority AFM, which is scared of various issues, including misuse of payment data, on their side. Or does the greatest challenge lie in education, in order to make consumers aware of privacy?

Leave a Reply

Your email address will not be published. Required fields are marked *