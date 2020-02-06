OneTrust DataGuidance’s ‘Thought Leaders In Privacy’ interview series is filmed across the world with leading privacy professionals discussing their advice for staying ahead of the curve and how privacy connects on a wider level with businesses and society. The series captures ideas from a range of subjects including; GDPR requirements, cookie law, data security and breach notification, risk & compliance and emerging technologies.

We spoke to Patrick O’Kane, Barrister & Data Protection Officer at FIS and WorldPay in January 2020. FIS is a financial services technology provider who, in 2019, acquired payment processing company WorldPay. Patrick discusses EBA guidelines on IT and Security Risk Management, PSD2 and its relationship with the GDPR and other key data privacy developments within the financial services industry.

GDPR v. PSD2

Patrick believes that security makes up a large and significant portion of data protection values, and with the PSD2 regulation being heavily focused on payment and transaction security, Patrick notes that this is where overlapping principles, and even alignment with the GDPR occurs.

“PSD2 directly aligns with GDPR. If you look at article 94 of PSD2, it says that when you’re processing payment data as a PSP, a payment service provider, you have to implement GDPR through doing that. So, you have to respect GDPR at all stages if you’re caught by PSD2.”

At the bottom of it all, Patrick suggests that security is an underlining feature of data protection regulation, which goes beyond just PSD2 and the GDPR, and that to respect one regulation you have to respect the other.

EBA Guidelines on ICT and Security Risk Management

The EBA guidance follows many existing security and privacy regulations, and as Patrick explains, managing the requirements of each of these is made easier by the implementation of a holistic, global privacy program.

On the issue of security risk management, Patrick details the EBA’s guidelines regarding third party service providers and the need to be on top of their security processes as well as your own.

“When you engage with third parties up and down the supply chain, you’ve got to make sure that those guys aren’t misbehaving when they get a hold of your data. I think what people have got to remember is third parties is where your security is at. It’s not always about what you’re doing in-house, it’s about what other people are doing on your behalf out there.”

Watch the full interview with Patrick, where he talks further about privacy developments and their impact on the financial sector, as well as the global frameworks that need to be taken into account when building an effective privacy program.