Jordi Gascón, EMEA Security Expert at CA Technologies 2018 is turning into a momentous year of regulatory change, with the introduction of PSD2 and GDPR. These regulations, backed by the European Union, are already having a profound impact on organisations’ processes and information systems, and will present a number of organisational and technological challenges on the journey to compliance.
But what is the motivation for these regulations that, at first, might even seem contradictory?
The European Union’s aim for PSD2 is “to improve the existing rules in the EU for electronic payments. It takes into account new and innovative payment services, such as internet and mobile payments.”
So while on one hand, PSD2 requires banks to open their systems and share their customer data with third parties that can offer innovative payment services, on the other hand, GDPR introduces new restrictions on the use of personal data of those same clients.
Although this seems contradictory, in practice it is not. Access to personal data will depend on three key factors: trust, context and consent. Control will ultimately always be in the hands of the consumer / citizen, who will decide what data they want to share and with whom.
For example, if I have to be away from home for a few hours, I may need to find someone to take care of my children. Who I ask for help will depend on several factors, but above all my decision will boil down to who I feel I can trust. And there will be different degrees of confidence: from the direct family, which is usually maximum confidence, to day care services. In the latter case, trust usually comes from the recommendations of those I trust the most, like family members, neighbours and friends.
Or take another example: the fact that a mobile application traces my location and sends information about my exact position, as a citizen, may seem beneficial to me in one case, but harmful in another, depending on the context. If I suffer a fall during a field trip and the application is able to send my coordinates to medical emergencies to send me help, it will be clearly beneficial.
These examples show that sharing personal data is neither bad nor good. Everything depends on a third factor: to do it with the right legal ground for processing, which in many occasions would be based on consent.
The GDPR regulation clearly describes in different articles (Recital 32, 42, 43 and articles 6, 7 and 8) that a person’s consent for the processing of personal data must be explicit and informed and specify how it should be collected.
Clearly these regulations are not contradictory, rather they complement each other and return to citizens the control of access to their personal data.
Trust, context and consent in the digital environment
The growing dependence on technology highlights the importance of properly managing the “digital identities” of consumers, especially with the new requirements to share information between different actors.
While these regulations seek to put the consumer in the centre, the nature of computer systems puts transactions at the heart. Therefore, to comply with these regulations, companies must adapt their processes and systems, and adopt an identity centric security model.
Technology can enable this shift. Identity management security solutions, advanced authentication based on context and risk, security and monitoring of programming interfaces used for data exchange (APIs), are just a few of the technologies that will support IT teams in ensuring that regulations are applied and implemented in the right way.
Deploying identity governance solutions will help businesses understand who can access what information and ensure that it is only available to the appropriate users. The control of privileged users will make it impossible for administrators or users with higher levels of access to the systems to abuse their access rights. Advanced authentication solutions will also help protect users by ensuring that, once their identity has been reliably proven, they can exercise their rights set in line these regulations and directives.