GDPR and PSD2 are two legal initialisms that have both generated a great deal of press coverage in recent months, but they are seldom considered together.
There were around 122 billion non-cash payments in the European Union (EU) in 2016, with card payments accounting for 49% of all transactionsi and the trend is continuing: UK Finance recently reported that UK debit card payments overtook the number of cash transactions for the first time in the final quarter of 2017. As Europeans increasingly swap cash for cards and live their lives online, businesses have tremendous opportunities to take advantage of the vast amount of personal data generated by the increased use of payment services.
In the EU, activities in the payments sector are subject to the revised Payment Services Directive (2015/2366, known as PSD2). PSD2 was transposed in the UK primarily by the Payment Services Regulations 2017, the majority of which came into force on 13 January 2018.