Balancing PSD2 with GDPR

Europe’s Second Payment Services Directive (PSD2) is reshaping the banking sector. At the same time, the introduction of the General Data Protection Regulation (GDPR) has had a huge impact on how companies must protect data. As financial institutions work to comply with both pieces of legislation, how can they balance innovation with protection? There are 5 key action points for financial institutions to consider:

  1. Be cautious with automation – GDPR prohibits profiling, meaning that full-blown automation can be risky, especially when it comes to significant decisions such as refusing a loan.
  2. Conduct data protection impact assessments – assessments should take place prior to the processing of financial data and serve to map the risks of processing data and define mitigating measures.
  3. Design data protection into new products/services – appropriate measures should be taken to achieve GDPR compliance and minimize the processing of data before products/services are launched.
  4. Be prepared to give consumers information about the use of their data – consumers have the right to know whether their information is being processed and, if so, to receive a copy. When designing products/services, financial institutions need to take this right into account so they can deliver the appropriate information when requested.
  5. Confirm the erasability of all consumer data – consumers have the right to ask for all personal data to be erased in a timely manner. When designing products/services, financial institutions need to take this right into account so they can comply if requested.