The General Data Protection Regulation (GDPR) presents significant challenges for banks – by next May, they need to know exactly what personal data they hold, what it is used for, and whether they have the appropriate customers’ consent. Complicating matters, the revised Payment Services Directive (PSD2) will also be live, and banks will have to share payment data (some of which will be personal) with third party providers (TPPs), at the request of customers. GDPR and PSD2 agree in principle that customers own their data and should be free to choose who they share it with, but reconciling their respective requirements in practice will not be easy. Two issues are particularly thorny: determining who is responsible for obtaining consent from customers under PSD2 (banks or TPPs?), and determining what constitutes “sensitive payment data”. We recently published an article setting out these issues in more detail. Our view is that, if left unattended, these challenges have the potential to jeopardise the successful implementation of PSD2.
Later this year, the government will introduce the EU’s new General Data Protection Regulation into UK law as the data protection bill, promising to tilt the balance of power over who controls personal data towards the consumer. The EU regulations come into force in May 2018.