Data Privacy and Security

Mobile authentication has big role to play in GDPR and PSD2

The following is a contributed article by Marta Ienco, ‎Head of Government and Regulatory Affairs, GSMA Personal Data


In 2018, GDPR (General Data Protection Regulation) and PSD2 (Payments Services Directive) will pass into law. Both regulations have been developed by the EU to help manage personal data in response to the growing digital economy. While GDPR will protect consumer privacy, PSD2 will give third parties access to customer data. Two contradictory motives that are surely set to collide. Banks are already grappling with the technicalities of these regulations, but what do they actually mean for businesses and their customers?

Let’s start with the basics. PSD2 will come into effect in January 2018 and will give third-parties access to anonymised customer banking data. It will help foster competition and innovation by giving service providers the ability to interact with banks’ customers, but it will also improve security by making strong customer authentication mandatory. This will further expand the reach of two-factor authentication, where users will need to authenticate themselves using something they have, such as a smartphone or card reader, and something they know (a PIN or password).

GDPR, which comes into force in May 2018, will set a new bar for how companies process, secure, protect and report customer data. Any organisation with data on EU individuals will have to conform with GDPR, wherever they are based. That means that where past legislation applied only to companies headquartered in the EU, almost every website and app in the world must comply with GDPR from 2018. The benefits are clear. GDPR supports a level playing field that will increase digital trade and require organisations to take a more sophisticated approach to data capture and processing. But the cost of non-compliance will be high and organisations could face fines of up to 4 per cent of global turnover – a significant penalty.

So how will these two regulations marry up? The key is consent. Third parties will only be able to access customer data when it has been agreed by the consumers – meaning GDPR rules are upheld. The real challenge is therefore to prove that customers are who they say they are and triggering customer consent through authentication. If banks aren’t completely certain of the provenance of a request, and decline a request from a service provider, they could be in violation of PSD2. But if a data breach then takes place, they could also become liable under the rules of GDPR. Luckily, this is where operators can help.

Operators can leverage user data such as location, account and usage history, which in turn can be used to help verify transactions. Moreover, this rich data can also help minimise instances of account takeover fraud. So if someone tries to change the mobile number associated with a bank account, the operator can determine if the original mobile number is still in use, and use it to alert the customer to any suspicious changes to their personal details.

Mobile authentication is secure but also extremely convenient – vital for keeping customers happy and in control of their data. With the majority of people now carrying smartphones two-factor authentication becomes simple, as the object they ‘have’ is already in their pockets. Possession and control of the mobile phone can be combined with a secret piece of information (e.g., PIN) or biometrics (e.g., fingerprint), enabling banks to easily and accurately verify the identity of the person trying to access the service. 

When banks and operators combine their efforts and expertise, they create a secure environment for transactions with greater revenue generation opportunities. The GSMA has already begun working with a number of operators and service providers to roll out Mobile Connect, an operator-based mobile authentication service which provides a convenient and secure log-in solution with privacy protection. While there can be no doubt that GDPR and PSD2 will drive huge changes in the world of personal data, mobile authentication will keep things safe, simple and secure for businesses and consumers.


« News Roundup: NotPetya is the next WannaCry and then some


Sneak peek: Augmented reality looks to shake up Wimbledon »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?