The General Data Protection Regulation (GDPR) is considered one of the most rigorous privacy and security laws worldwide. Yet what is the meaning of GDPR in simple terms? Here we take a look at its history, key principles and relationship with open banking.
What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy and security law created and implemented by the European Union (EU), which applies to organisations globally if they collect or target data related to EU citizens.
Since its enforcement in 2018, the GDPR has aimed to protect individual data privacy rights by ensuring that companies handle personal information transparently and responsibly. Failure to comply with this regulation can result in substantial fines, sometimes amounting to millions of euros.
History of Data Privacy in Europe
The right to privacy has long been a fundamental value in Europe, established in the European Convention on Human Rights. As technology advanced and the internet became an integral part of everyday life, the EU recognised the importance of implementing modern data protection measures.
Consequently, the European Data Protection Directive, the predecessor of GDPR, was introduced in 1995, establishing essential standards for data privacy and security. However, given the rapid digitalisation of services and the emergence of social media platforms, it became evident that a more comprehensive approach was necessary.
This led to the development and subsequent implementation of the GDPR. After being passed by the European Parliament in 2016, organisations were required to achieve GDPR compliance by 25 May 2018.
Key Principles of GDPR
GDPR operates on seven foundational principles to ensure the protection and accountability of personal data.
- Lawfulness, fairness, and transparency: Data processing must be legitimate, equitable, and clear to the individual concerned.
- Purpose limitation: Data should only be processed for explicit, legitimate purposes communicated to the individual at the time of collection.
- Data minimisation: Only the absolutely necessary data should be collected and processed.
- Accuracy: Personal data must be current and accurate.
- Storage limitation: Identifiable personal data should only be stored as long as required for its intended purpose.
- Integrity and confidentiality: Data processing should guarantee security, integrity, and confidentiality, promoting measures like encryption.
- Accountability: The onus is on the data controller to demonstrate compliance with all the above principles.
GDPR and Open Banking
The EU's Payment Services Directive II (PSD2) was introduced in 2018 to promote financial data sharing (provided customer consent) between financial institutions and third-party providers, a movement that became collectively known as open banking.
While GDPR prioritises data protection, PSD2 encourages data sharing, and it may seem that the two legal frameworks are contradictory. Yet this isn’t the case. While GDPR ensures that personal data is handled with the utmost care, transparency, and accountability, PSD2 guarantees secure financial data sharing with the explicit consent of the user for the purpose of delivering improved financial services.
The coexistence of these regulations does pose challenges. With open banking, customers' data can be held by multiple parties, which increases the risk of data breaches or misuse. This highlights the significance of GDPR's strict data protection measures. To clarify these nuances, in 2020 the European Data Protection Board published guidelines on the interplay of the PSD2 and GDPR.