One API for General Data Protection Regulation (GDPR) Data portability and PSD2 XS2A?
Authored by: Tadas Dobravolskis LL.M and Can Yilmaz LL.M
As financial services organizations look to gain not just efficiencies, but economies of scale, when considering overlapping global regulations, one area where there is an opportunity to address similar technical requirements with a single approach is with the General Data Protection Regulation (GDPR) requirement for Data portability and the Payment Services Directive (PSD2), which requires third parties to gain access to accounts (frequently referred to as XS2A). Financial services organizations that are subject to both have been encouraged to employ Application Programming Interface (API) technology to comply. In this article, we will investigate whether implementing one API solution enabling compliance with both requirements can be done.
GDPR: a new personal data regime in Europe
As of 25 May 2018, the new European rules on data privacy, formally known as the General Data Protection Regulation (GDPR), will apply across the European Union. The regulation is the successor of the 1995 Data Protection Directive and the result of a comprehensive reform of data protection rules by the EU which started in 2012.
The aim of GDPR is to harmonize European data protection laws, strengthen individuals’ rights, increase compliance obligations, and expand enforcement powers of regulators. The result of this reform program is a new single European regulation, adopted on 27 April 2016, that, at least on paper, will do away with the existing fragmentation of data privacy laws. The regulation also should tackle costly administrative burdens in individual member states, resulting in estimated savings for businesses of around €2.3 billion a year.