General Data Protection Regulation – scary monster or empty shell?

If you have business or you are part of some business it is very unlikely that you haven’t heard for some acronym, namely, GDPR. As title already reveals GDPR stands for General Data Protection Regulation which is latest regulation adopted by the European Parliament in 2016 but enforceable throughout the EU in May 2018.

Why regulation on data protection?

As economy becomes increasingly digitized many companies hold highly sensitive customer personal information and they also obtain info from various sources to study customer behaviour which all is associated with significant risk if data is stolen and abused.

It applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the business organisation is located within the EU.

Also, as awareness for value of analytical user’s data, artificial intelligence (AI) and machine learning becomes stronger in recent years, and storage space is becoming more affordable, digital service providers are encouraged to collect more and more user’s data.

For example, in recent study (2017) published in The Guardian, on journalist’s insisting request mobile dating app Tinder has extracted 800 pages of user’s data (in just 3.5 years of app usage). This is just to show you size and impact of possible data risk if such important business aspect is not regulated.

What covers GDPR?

Basically, GDPR specifies how consumer data should be used and protected. To fully understand the regulation, you need to understand some of the terms: data subjects (information related to natural persons – customers), data controller (entity that determines the purposes, conditions and means of the processing of personal data) and data processor (entity which processes personal data on behalf of the controller).

GDPR covers 7 main areas which are:

  • Consent – all terms & conditions should be easy to understand, consumer friendly and with minimal legal jargon
  • Breach notification – in case of data breach, data processors must notify their controllers and customers of any risk within 72 hours
  • Right to access – data subjects have right to obtain electronic copy of their personal data for free from data controller
  • Right to be forgotten – when data is no longer relevant to its original purpose, data subjects can have the data controller to erase their personal data and cease its dissemination
  • Data portability – allows data subjects to obtain and reuse their personal data for their own purposes by transferring it across different IT environments
  • Privacy by design – calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures
  • Data protection officers – professionally qualified officers must be appointed in public authorities, or organizations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.

But main reason why there so much fuss about GDPR is the financial penalty for non-compliance which can go up to €20 Million or 4% of global turnover (whichever one is greater), which is something unseen before and puts it as strictest data security framework in the world.

Certainly, many businesses will see GDPR as significant restriction on commercial data use, also possibly monetization, and undeniably as an extra compliance spending. However, at same time, this regulation strengthens customer’s trust and confidence which may rise in adoption of many digital services and thus (easily) compensating for compliance cost.

GDPR seems like logical and necessary step to legally safeguard data security rights in this highly digitized world. And while initially it may look like unnecessary burden, in years to come it may easily show up as necessary foundation for future services.

Strong authentication enforced by PSD2 – opportunity or conversion killer?

As everybody interested in payments and banking already know EU Payment services Directive, or popularly PSD2, has stirred a lot of attention of many parties even before enforcement, planned next year (2018).

That is because it could transform the payments industry, affecting everything from the way we pay online, to what information we see when making a payment. The purpose of Directive is to increase competition in – an already competitive payments industry, bring into scope new types of payment services, enhance customer protection and security. Moreover, idea is to improve the level playing field for payment service providers, to make payments safer and more secure, to protect consumers and to liberalize and encourage lower prices for payments. And all this regulation is for all electronic payments and not just for online payments.

In practical sense this means banks will need to open thru standardized interface (API) to, so called, Payment Initiation Service Providers (PISPs) meaning that you will be able to make payments outside of, traditionally exclusively and primarily possible by, your bank’s mobile or Internet banking application. This in effect means you could have just one app from which you could make payments from your multiple aggregated bank accounts.

So basically, a new start-up company, as new market player, could make new advanced payments app that could be become your one stop payments and banking app, making your previously monopolized mobile banking app much more replaceable. But what about security, you may ask, can you trust more your bank’s app or new start-up’s app? For this reason, European Banking Authority (EBA) has published (final draft) detailed document in February 2017 known as Regulatory Technical Standards (RTS). More specifically RTS specifies Common and Secure Open Standards of Communication and more importantly Strong Customer Authentication (SCA) as a way third-party payment service providers must comply ensuring that payments across the EU are secure, easy and efficient.

What specifies Strong Customer Authentication (SCA)?

The scope of SCA’s is when payer accesses it’s payment account online, initiates an electronic payment transaction, carries out any action through a remote channel (which may imply a risk of payment fraud) and finally where exemptions from these apply. SCA is not enforced when payee initiates payment like in, say, case of recurring (subscription) payments.

In order to understand SCA fully it is necessary to define key parties involved, and these are:

  • Account Servicing Payment Service Providers (ASPSP) – consumer’s bank, current issuer,
  • Payment Initiation Service provider (PISP) – initiates the payment process, seller (merchant) or PSP,
  • Account Information Service Provider (AISP) – consolidates customer’s “cross-bank” data.

Now question arises on which side authentication is enforced? The answer is not straightforward, but by default it is consumer’s bank but also the bank may choose to put it on side of PISP.

Authentication always generates authentication code and this scheme require at least two, out of three, factors to be fulfilled:

  • something you know,
  • something you have and
  • something you are.

This means that plain username/password right in the beginning is failing short.

SCA – opportunity or payment conversion killer?

While final RTS on Strong Customer Authentication (SCA) seems to cover a lot of ground, ultimately leaves many unanswered questions. This means the actual implementation of payment may differ.

From user standpoint this largely depends on user-experience (UX) a user will have, and aside from liberalization of payments market, improving UX is original intention of the Directive. From banking standpoint, it depends what level and method of authentication security bank already have and how this can be translated to SCA norm. And finally, from PSP standpoint it all depends how tight and seamless integration with bank will be.

For example, in scenario where bank already has in place mobile soft token solution this is nicely integrated with other involved parties this could lead in really snap and express payment with user required to enter only short PIN. On some other scenarios, and there may be hundreds of combinations, things could be much less than ideal and much more cumbersome.

In the end, PSD2 and SCA is nice direction for the future of the payments but adoption and popularity of it will largely depend on – the user and experience. And this will, again, depend on implementation which, as of now, is still just technical document but only in coming year will become reality.