Blog · 29 Apr 2018

The GDPR and PSD2 are changing the retail regulatory landscape

The General Data Protection Regulation (GDPR) and the Payment Services Directive 2 (PSD2) are two hefty regulations that’ll affect most retail companies in 2018.

Andy Rowland
Head of Digital Manufacturing

The GDPR and the PSD2 and what you need to do about them

Let’s start with the biggie, the GDPR.

The GDPR will become law in May 2018. Covering all processing of personal data, the GDPR applies to any organisation -

  • with an ‘establishment’ within the EU, whether processing takes place within the EU or not
  • that offers goods or services to people in the EU
  • that monitors people in the EU

Failure to comply with the regulations can land you in very hot water. A breach of the GDPR could lead to fines of up to €20 million or 4 per cent of global annual turnover for the preceding financial year (whichever is the greater).


To help avoid a considerable penalty, I recommend asking yourself a few questions:

  • Are all your decision makers aware of the GDPR’s impact?
  • Are you certain that you’re aware of all personal data you hold and how you gather it?
  • Are you absolutely sure that you should be holding the personal data that you have?
  • Do you have the procedures in place to detect, report, and investigate a data breach?
  • Have you designated a Data Protection Officer?
  • Are you aware of how personal data travels across your business?

Being able to answer these questions won’t just help you stay out of regulatory trouble; it’ll strengthen the trust between you and your customers.

PSD2. The opportunity you’ve been waiting for?

The Payment Services Directive 2 (PSD2) is due to be implemented in early 2018, but at the time of writing, the exact date has still not been confirmed.

Designed to increase customer protection, the PSD2 will also increase competition and innovation in the payment services market.

How to explain it? Well, it’s essentially about third party access to customers’ online accounts and payment services. The regulation requires banks to give third parties secure, regulated access to customer accounts in the same way as if the customer had given their explicit permission for it.

To do this, banks must use customer identity verification and authentication through APIs (Application Programming Interfaces).

This opens the way for two new types of service (regulated under PSD2) -

  1. Third party payment initiation (provided by Payment Initiation Service Providers or PISPs)
  2. Third party account access (provided by Account Information Service Providers or AISPs),

Get into pole position by planning for PSD2 now

For retailers, the directive will affect how customers give you permission to access their money, without an intermediary. Yes, it’s going to make buying things even easier for the customer. But it also makes digital security a touch more problematic. We’re going to need strong customer authentication to guarantee the safety of the customer’s payment and purchase data.

So think about -

  • How does this affect your business’s strategy?
  • Can you start experimenting now to test your thinking (and maybe even discover any faults before they harm your company)?
  • Is your infrastructure prepared for the use of open APIs (even if the definitive technical standards are still a work-in-progress)?

If you can see through the regulations and tease out the opportunities, you can keep everyone happy: the regulatory bodies, your customers, and your shareholders.