GDPR & PSD2 compliance – what is it?

In today’s digital world, where data has become an integral part of our lives, protecting personal information and ensuring the security of financial transactions are becoming increasingly important. For this, two key regulatory standards were introduced in the European Union – the General Data Protection Regulation (GDPR) and the Payment Services Directive 2 (PSD2). In this article, we’ll look at the core principles of the GDPR and PSD2, as well as their goals.

What is GDPR?

The GDPR, or the General Data Protection Regulation, is a European Union statute designed to protect the rights and freedoms of citizens with regard to the processing and transmission of their personal data. It was adopted in May 2018 and replaced the previous Data Protection Directive 95/46/EU. The main purpose of the GDPR is to provide control over personal data and improve consumer protection in the digital environment.

The core principles of the GDPR include:

1. Consent and transparency: the requirement to obtain explicit consent to the processing of personal data, as well as the provision of full information about the purposes and methods of data processing.
2. Right of access and rectification: Guaranteeing the right of citizens to access their personal data and the ability to correct it if necessary.
3. Right to deletion: the obligation to delete personal data if they are no longer needed for their original purposes of processing.
4. Data security management: requirements for ensuring the security and protection of personal data from unauthorized access, leakage and loss.
5. Notification of breaches: the obligation to notify the data protection authority and affected persons in the event of a data security breach.

What is PSD2?

PSD2, or the Payment for Services Directive 2, is the regulatory standard of the European Union that governs payment services and opens the door to new innovations in fintech. The main goal of PSD2 is to improve the security and protection of payment transactions, as well as to create a competitive environment for payment services that promote innovation and improve the consumer experience.

The core principles of PSD2 include:

• Public access to payment data: PSD2 allows third parties (such as financial technology companies) to access banking data and make payments on behalf of the customer.
• Strong Authentication: For security purposes, PSD2 requires stronger customer authentication when making electronic payments.
• Prohibition of illegal blocking: payment services cannot deny a client access to their accounts or services without legal grounds.
• Privacy Protection: PSD2 also contains GDPR-like privacy protection provisions to ensure the privacy and security of customer information.

In conclusion, GDPR and PSD2 are two important European Union regulatory standards. GDPR protects privacy and citizens’ rights to transparency and control, while PSD2 promotes secure and innovative payment services. Compliance with these standards is necessary for companies operating in the European Union to ensure the protection of customer data and compliance with payment security requirements. Companies that are responsible and attentive to these standards will be at the forefront of safety and competitiveness, and will also build the trust of their customers and strengthen their reputation.

Consequences of non-compliance with the GDPR:

• Penalties: Violating the GDPR can result in significant financial penalties. In the event of a serious breach, data protection authorities can impose fines of up to 4% of a company’s global annual turnover or up to €20 million, whichever is greater.
• Reputational damage: Violating the GDPR can seriously damage a company’s reputation in the eyes of customers, partners, and the public. Leakage of personal data of customers or insecure processing of information can lead to loss of trust and deterioration of customer relationships.
• Loss of business: In some cases, especially in cases of major violations of the GDPR, a company may be forced to cease operations or restrict certain operations, which can lead to serious financial losses and loss of market share.

Examples of real cases of GDPR and PSD2 violations:

• Facebook: In 2018, Facebook faced one of the most significant violations of the GDPR. Millions of users’ data was found to have been misused for political purposes without their explicit consent. As a result, Facebook was fined $5 billion by the US Federal Trade Commission.
• British Airways: In 2019, British Airways was the victim of a major cyberattack that compromised the data of some 500,000 customers. In 2020, the British Office of the Information Commissioner imposed a £20 million fine on British Airways for violating the GDPR.
• Uber: Uber admitted in 2016 that there was a cyber attack in 2014 that stole the data of more than 57 million users and drivers. They failed to report this incident to the data protection authorities in a timely manner, which violates the requirements of the GDPR. In the end, Uber received a £600,000 fine from the UK information commissioner’s office.
• Actions against PayPal: In 2020, the UK Office of the Information Commissioner imposed a £250,000 fine on PayPal. This was due to a breach of PSD2 when PayPal failed to provide sufficient security for its services and allowed unauthorized parties to gain access to customers’ personal data.

These examples highlight the serious consequences for companies that do not comply with the GDPR and PSD2. In addition to financial penalties, they face loss of customer confidence, reputational damage and possible loss of business. Therefore, strict adherence to these regulatory requirements is necessary to prevent such negative consequences and ensure the safety and trust of customers.

Benefits of Using Legal Services to Ensure GDPR and PSD2 Compliance

Legal support plays an important role in helping companies achieve GDPR and PSD2 compliance. Here are some of the benefits that a company can get by using legal services:

1. Deep understanding of requirements: Legal experts have deep knowledge and understanding of GDPR and PSD2. They can analyze business processes and determine what requirements must be met and how to properly implement them within the company. Legal support will help the company develop a compliance strategy and implement the necessary policies and procedures.
2. Policy and Procedure Development: Lawyers can help companies develop and implement policies and procedures that comply with GDPR and PSD2 requirements. This may include data processing policies, data breach notification procedures, privacy policies, and security and access control measures. Legal support will ensure that these policies and procedures are legally sound.
3. Audit support and risk analysis: Lawyers can conduct audits and risk analyzes related to data processing and payment services in order to identify weaknesses and recommend appropriate remedial actions. This will help the company prevent violations of the GDPR and PSD2, as well as improve the level of security and data protection.
4. Employee Training and Awareness: Legal Support can provide training to company employees on GDPR and PSD2 requirements, as well as the principles of secure data processing and payment transactions. This will help increase employee awareness and reduce the risk of breaches due to data mishandling.
5. Incident Management: In the event of a data breach or other incident, Legal Support can provide expert guidance on incident management, including alerting regulators and customers, as well as assisting with investigations and developing measures to prevent re-infringement. Legal support will help the company to minimize legal risks and comply with legal requirements.
6. Reduce risk and improve reputation: GDPR and PSD2 compliance with legal support helps a company reduce the risk of data breaches and payment transactions. This helps increase the confidence of customers, partners and regulators. A company that actively follows regulatory requirements demonstrates its responsibility and interest in protecting the rights and interests of customers.
7. Ensuring international expansion: GDPR and PSD2 are mandatory requirements not only for companies operating in the European Union, but also for those who work with European clients or cross borders. Compliance with GDPR and PSD2 with the help of legal support allows the company to expand its activities and conduct business in accordance with international standards.

As a result, using legal services to ensure compliance with GDPR and PSD2 provides a company with a deep understanding of the requirements, assistance in developing policies and procedures, accompanying audits and risk analysis, employee training, incident management and risk mitigation, improving reputation and the possibility of international expansion. Legal support is an integral part of successfully complying with these regulatory requirements and ensuring the security of data and payment transactions.

For a detailed consultation and further calculation of the cost, terms and necessary documents, please contact White and Partners specialists by clicking on this link.