Could GDPR need Strong Customer Authentication?

The General Data Protection Regulation (GDPR) requires that organisations must secure personal data but also enable data subjects to see what information is held about them. When it’s customer data, how can businesses authenticate that it really is their client who is accessing the data?  The ramifications of this requirement are significant for all organisations that provide access to customer’s data online.

The level of authentication that is acceptable under GDPR to confirm that the customer is in fact who they say they are is subject to debate? Within Financial Services there is already a definition of authentication that is referred to as “Strong Customer Authentication” (SCA) defined under the Revised Payments Services Directive (PSD2). One suggestion is that this definition should be the authentication basis across GDPR for all industries not just the Financial services. The issue will have to be determined by the Regulators from the 28 different member states who will each decide the authentication requirements needed under GDPR when customers access their data online.

Whilst there is no certainty on interpretation, Jonathan Williams, Director of Strategy at the MIDAS Alliance suggests, “the problem for businesses is that they have little guidance on how to ensure it is their customer who is making the request to access customer data. What is clear is that under current regulations when banks need to ensure it is their customer accessing their data, strong customer authentication meets that requirement, as stated under PSD2. What is not so clear is if this would apply for a telecoms or recruitment company that are not governed by PSD2? This is why the MIDAS Alliance was formed, and in particular why we support the British Standards Institution’s Digital Identification and Authentication Code of Practice (Publicly Available Specification (PAS) 499).”

Rif Kapadi, Associate in the Privacy and Information Law Team of Eversheds Sutherland (International) LLP notes, “GDPR applies across private and public sectors beyond the financial services space and will bite retailers, telecoms providers, gaming sector players and many others.  Preventing data security incidents and maintaining confidentiality is a fundamental GDPR principle and requirement. Implementing ‘appropriate’ security standards will be an evolving issue for businesses and requires consideration of the state of available technology, risks to the rights and freedoms of data subjects and cost factors; adherence to GDPR certified codes can be a key element to demonstrate compliance.”

Andrew Churchill, lead author of PAS499 concurs, “Whilst PAS499 is initially aimed at meeting the needs of PSD2, it should have general applicability. By giving clear guidelines on identity and authentication capabilities that can be implemented in a Financial Services scenario, we are also offering other businesses guidance on how they can start solving some challenges created by identity and authentication under GDPR. After all, if a level of security is being applied in one sector to protect a 30 euro transaction, surely this should be a baseline for protecting other sensitive data sets as well”.

The MIDAS Alliance

The MIDAS Alliance advises organisations on the wider GDPR and PSD2 implications of SCA and can offer consultants who can help put in place solutions that meet the requirements under GDPR and PSD2 for SCA.

MIDAS Alliance is a membership organisation dedicated to developing identity and authentication standards and specifications to allow businesses and government to transact digitally and securely, whether making payments, submitting tax returns or controlling access to personal data.