On 25 May 2018, a two-year implementation period for the biggest shake up in privacy law in the EU will commence. Anna Milne and Saad Ahmed look at the main points

The upcoming General Data Protection Regulation (GDPR) will require customers to be made fully aware, in a clear, concise and transparent fashion, of how their personal data will be used, and by whom.

Customers will need to provide explicit consent for the usage of their transaction data.

Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) will not be able to use data captured during payment transaction processes to enhance their business models.


All processing must comply with six general principles, and must satisfy a processing condition. These principles and processing conditions are similar to those in the Data Protection Directive, but there are some significant changes.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Consumers will have the right to:

  • Revoke consent at any time
  • Know what data an organisation uses, and to have their information erased

Those processing personal data do so as a controller or a processor. A processor only acts on the instructions of a controller.

The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. It will also become much harder to process information about criminal offences in some EU member states. Controllers must comply – and demonstrate compliance – with the six general principles.

Significant new rights, such as the right to be forgotten and the right to data portability, must also be factored into companies’ data-management strategies.


A controller must ensure the processing of personal data complies with all six of the following general principles:

  1. Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner.
  2. Purpose limitation. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is compatible with those purposes, with exceptions for public interest, scientific, historical or statistical purposes.
  3. Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
  4. Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
  5. Personal data should be kept in an identifiable format for no longer than is necessary, with exceptions for public interest, scientific, historical or statistical purposes.
  6. Integrity and confidentiality. Personal data should be kept secure.