On 25 May 2018, a two-year implementation period for the biggest shake up in privacy law in the EU will commence. Anna Milne and Saad Ahmed look at the main points
The upcoming General Data Protection Regulation (GDPR) will require customers to be made fully aware, in a clear, concise and transparent fashion, of how their personal data will be used, and by whom.
Customers will need to provide explicit consent for the usage of their transaction data.
Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) will not be able to use data captured during payment transaction processes to enhance their business models.
All processing must comply with six general principles, and must satisfy a processing condition. These principles and processing conditions are similar to those in the Data Protection Directive, but there are some significant changes.
Consumers will have the right to:
- Revoke consent at any time
- Know what data an organisation uses, and to have their information erased
Those processing personal data do so as a controller or a processor. A processor only acts on the instructions of a controller.
The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. It will also become much harder to process information about criminal offences in some EU member states. Controllers must comply – and demonstrate compliance – with the six general principles.
Significant new rights, such as the right to be forgotten and the right to data portability, must also be factored into companies’ data-management strategies.
SIX GENERAL PRINCIPLES
A controller must ensure the processing of personal data complies with all six of the following general principles:
- Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is compatible with those purposes, with exceptions for public interest, scientific, historical or statistical purposes.
- Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Personal data should be kept in an identifiable format for no longer than is necessary, with exceptions for public interest, scientific, historical or statistical purposes.
- Integrity and confidentiality. Personal data should be kept secure.