- Posted by Graham Dockrill
- On May 26, 2017
- 1 Comments
- data protection, EU, GDPR, legislation, PSD2, tech, uk
The European Union (EU) is a prolific producer of legislation. It is recognised globally as a leader in the technology sector for its proactive stance and enforcement of IT law. Two imminent EU policies are set to significantly impact the tech sector. They are General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2).
These policies present significant opportunities for companies offering solutions to meet the legislation head on. No EU commentary can be complete without acknowledging that Brexit will of course have an impact on the UK. It’s too early to define the complications that Brexit will bring to the below regulations, however anecdotal conversations with ministerial representatives suggest that the new reforms are good for business and will be adhered to.
General Data Protection Regulation (GDPR)
GDPR is a regulation that was adopted in April 2016 and applies from 25 May 2018. Through this regulation, the EU intends to strengthen and unify data protection within its boundaries, as well as addressing the export of personal data outside the EU.
GDPR is a significant and important piece of law. The GDPR firmly places the burden of responsibility with regards to privacy protection on the content holder. The new legislation lays down strict rules on how companies store, process and manage EU citizens’ personal data. The GDPR applies to processing carried out by organisations operating within the EU. Just as importantly, it also applies to organisations outside the EU that offer goods or services to individuals in the EU (including New Zealand companies). The UK’s decision to leave the EU will not affect the commencement of the GDPR.
GDPR will have an impact on all businesses that handle even reasonably small amounts of personal data. It will have considerable and far reaching implications for ‘data intensive’ businesses of all sizes. These include many tech firms from start-ups to the largest global brands.
All organisations, regardless of size and complexity will need to comply with GDPR and all will be exposed to the same process and penalties should they be found to be in breach. There are significant issues and consequences that you need to be aware of as a business. These also create opportunities for emerging companies.
The new rules mean that businesses that gather users’ data for a specific purpose will not be allowed to transfer or share the data for a different purpose without the user’s explicit consent. Businesses will be required to seek consent more often from consumers. This could inhibit the ability of businesses to innovate with existing data without finding creative solutions.
A very significant change is that data controllers and processors will be jointly liable for any breach of the regulation. Secondly, ‘legitimate interest’ will mean a tightening of the rules that will restrict instances whereby companies hitherto have relied on ‘legitimate interest’ to lawfully process data. All companies will be expected to notify consumers and authorities of data breaches within 72 hours of its discovery otherwise significant fines will be served.
Data protection officers
Large firms or SMEs processing large volumes of data will be required to appoint a data protection officer who will be expected to have expert knowledge of data protection law and practices. It is worth noting that there are some exceptions for SMEs. SMEs will be exempt from some of the policy’s obligations such as having to carry out an impact assessment on their data processing activities.
PSD2 (Revised Payment Service Directive)
This second piece of legislation is less draconian than GDPR. It opens up considerably more opportunity for innovation and collaboration. PSD2 is the second Payment Services Directive. It is designed by the countries of the EU. The payments industry will be revolutionised by RPSD, affecting everything from the way we pay online, to what information we see when making a payment.
Acclimatising to the new requirements will result in massive industry investment, and while not all players are happy, the outcome is good news for consumers. PSD2 was first brought in at a European level in 2015. The EU’s Payments Services Directive 2 (PSD2) comes into effect in January 2018 and will be implemented across the European Economic Association (EEA) region, in line with GDPR.
PSD2’s main goal is to create a more uniform, transparent and open EU payment market that ensures innovation, competition and security remains at the forefront. Subsequently, the European Commission hopes that PSD2 will increase competition, consumer choice and innovation in the financial services and banking sector. Over time, the aim is that this will pave the way for a simplified payments region, known as the Single Euro Payments Area (SEPA).
Pivotal to this innovation, PSD2 requires financial institutions to make customer data available to third parties, enabling customers to construct hybrid services from a variety of providers. PSD2 enables bank customers (both consumers and businesses) to use third party providers to manage their finances. Again, it’s worth noting the impact of Brexit on the UK’s banking and financial services sector is unclear. This is because it depends on the UK’s future membership of the EEA and therefore whether the UK industry will be expected to comply with PSD2.