The General Data Protection Regulation (GDPR) requires that organisations must secure personal data whilst enabling subjects to see what information is held about them. How can a business know that it’s genuinely their customer who is making the data access request?
The ramifications of this requirement are significant for all organisations that provide access to customer’s data online.
The level of authentication that is acceptable under GDPR to confirm that the customer is in fact who they say they are is subject to debate. Within Financial Services there is already a definition of authentication that is referred to as Strong Customer Authentication (SCA) defined under the Revised Payments Services Directive (PSD2). One suggestion is that this definition should be the authentication basis across GDPR for all industries not just the Financial services.
The issue will have to be determined by the Regulators from the 28 different member states who will each decide the authentication requirements needed under GDPR when customers access their data online.
Whilst there is no certainty on interpretation, Jonathan Williams, Director of Strategy at the MIDAS Alliance suggests, “the problem for businesses is that they have little guidance on how to ensure it is their customer who is making the request to access customer data. What is clear is that under current regulations when banks need to ensure it is their customer accessing their data, strong customer authentication meets that requirement, as stated under PSD2.
What is not so clear is if this would apply for a telecoms or recruitment company that are not governed by PSD2? This is why the MIDAS Alliance was formed, and in particular why we support the British Standards Institution’s Digital Identification and Authentication Code of Practice (Publicly Available Specification (PAS) 499).”
Rif Kapadi, Associate in the Privacy and Information Law Team of Eversheds Sutherland (International) LLP notes, “GDPR applies across private and public sectors beyond the financial services space and will bite retailers, telecoms providers, gaming sector players and many others.
Preventing data security incidents and maintaining confidentiality is a fundamental GDPR principle and requirement. Implementing ‘appropriate’ security standards will be an evolving issue for businesses and requires consideration of the state of available technology, risks to the rights and freedoms of data subjects and cost factors; adherence to GDPR certified codes can be a key element to demonstrate compliance.”
Andrew Churchill, lead author of PAS499 concurs, “Whilst PAS499 is initially aimed at meeting the needs of PSD2, it should have general applicability. By giving clear guidelines on identity and authentication capabilities that can be implemented in a Financial Services scenario, we are also offering other businesses guidance on how they can start solving some challenges created by identity and authentication under GDPR.
After all, if a level of security is being applied in one sector to protect a 30 euro transaction, surely this should be a baseline for protecting other sensitive data sets as well”.