# The Importance of Data Security
I recently discussed what to look for when selecting an open banking provider, a topic you can read more about here (opens new window). In this blog post I will dig a bit deeper into why the data security regulation is important and explore one of the reasons as to why Enable Banking has decided not to touch or keep any of our users' data.
# Understanding the GDPR
The General Data Protection Regulation (GDPR) is a European Union law that went into effect in 2018, aimed at protecting consumers' personal data.
The main takeaway from GDPR is that it provides you with greater control over your personal data. Individuals have the right to access their data, make any necessary changes, and ask for its deletion if they so desire. This is a major development in the field of data privacy in the continent since it gives the individual the control back.
Under GDPR, companies are also required to obtain explicit consent from people before collecting or using their data. Businesses must therefore be honest about the data they collect and the purposes for which they plan to use it. People, in the regulation called ‘data subjects‘ have a right to information about how their data is used and who has access to it (opens new window).
In short, GDPR is a complex set of regulations created to safeguard the personal information of European consumers. It gives people more control over their data, enforces explicit consent for data collection and use, and requires businesses to report data breaches within 72 hours.
# The evolution of regulation
In the past, we've seen how both the regulations GDPR & PSD have been extended and revised several times since their first publication. GDPR was first introduced in 2016, but it didn't come into effect until 2018. Since then, there have been several extensions to the regulation, including the recent "Schrems II" ruling which invalidated the EU-US Privacy Shield.
However, neither this nor any revision to GDPR has stifled the EU's desire for innovation and openness in the financial services industry. The EU is clearly on a path to strengthen the protection of its citizens' data while at the same time pushing for openness, digitalisation and innovation.
Looking into the rear mirror, here are some of the most interesting revisions to GDPR from the last six months from a financial services and AISP point of view:
# Judgment of 20 October 2022 (C-77/21) (opens new window)
According to the European Court of Justice, GDPR article 5(1)(b) has two requirements:
First, personal data must be gathered for specific, explicit, and legitimate purposes, and second, they must not be further processed in a way that is incompatible with those aims. Concerning 'further processing', the Court notes that any processing that occurs after the first processing counts as further processing,' including transferring personal data to a test database.
The data controller must examine the compatibility of any subsequent processing with the original purpose. There should be a sufficient relationship between the initial purpose and the purpose of the subsequent processing, and the data subject's reasonable expectations should be satisfied.
# Judgment of 27 October 2022 (C-129/21) (opens new window)
The Court of Justice ruled that agreement from a subscriber who has been properly informed is required for the publishing of his or her personal data in a public directory. This authorization extends to any further data processing by third-party directory providers for the same purpose. It is not necessary for the data subject to be aware of the identities of all other directory providers.
Subscribers must be able to have their personal data removed from directories by exercising their right to erasure.
According to the Court, it follows from the basic GDPR responsibilities that a controller must notify the other providers of directories that have received the data of the data subject's withdrawal of permission by suitable technological and organizational procedures.
# Judgment of 12 January 2023 (C-154/21) (opens new window)
In a preliminary judgement issued on January 12, 2023, the Court affirmed that every data subject has the right, upon request, to know the true identities of recipients to whom his or her personal data have been exposed. Article 15 GDPR does, in fact, offer data subjects the right to information about 'the recipients or groups of recipients' of their personal data, and such information should be as specific as possible.
These extensions and revisions to these regulations reflect the evolving nature of data privacy and financial security. As new cracks emerge, businesses challenge regulations, and technologies evolve, it is necessary to update legislation to keep pace.
# How this affects Open Banking
When applying this to the space of Open Banking, this means that any TPP that is aggregating data on behalf of another company needs to be able to share what information they hold about any individual or company by request of the user whether it's for their information or if it's about the right to be forgotten.
In addition to this, GDPR requires that personal data be processed and stored securely. This means that third-party providers must have robust security measures in place to protect the sensitive financial data that they are accessing. Providers must also have a plan in place for responding to data breaches, which must be reported to regulators and individuals affected within 72 hours.
It also means that the company that offers the customer facing application is responsible for all the aggregating companies in the value chain and the value creating entities to delete the information about the end user at the request of the data subject.
Overall, GDPR has had a significant impact on the Open Banking ecosystem, requiring third-party providers to implement new data privacy and security measures, obtain explicit consent from customers, and provide individuals with greater control over their personal data and what they want to share.
While these requirements can be challenging, they are critical to ensuring that Open Banking operates in a transparent and secure manner, and that customers have the trust and confidence to participate in this growing ecosystem.
With Enable Banking as your aggregator, the process is as convenient as it can be for both you and your users. Unlike most providers who add additional requests to access and use the end user data, Enable Banking operates on a strict policy of never storing, using, analyzing, sharing or working with any of your data. This means that our customers only need to work and gather the data they hold on behalf of their customers.
In addition to being convenient, this approach provides significant benefits when it comes to data privacy and security. By not storing any customer data, there is no risk of data breaches or misuse of customer data by Enable Banking or any third parties using us. This enables customers to have greater trust and confidence in the Open Banking ecosystem, and be more willing to participate in it.
Overall, working with Enable Banking as your Open Banking aggregator provides a convenient, secure, and transparent way to access open banking, with all the comfort of knowing that your data is coming from and through a trusted source that values your privacy.
What is GDPR, the EU's new data protection law? - GDPR.eu (opens new window)
CURIA - Documents (europa.eu) (opens new window)
Data Privacy Day 2023: highlighting the most impactful ECJ judgements from the past year. (opens new window)