The fight for digital identity

In early 2016, the EU legislative bodies agreed on two legislative projects that will considerably increase every EU citizen's rights to the electronic data that pertains to them. These projects are the PSD2 (Payment Service Directive 2) and the GDPR (General Data Protection Regulation). Both include a two-year transition period during which national legislation will be altered to comply with the project (PSD2) or the regulation will be enforced directly as a European regulation (GDPR).

PSD2 concerns payment service providers such as credit card companies, banks, and other online payment service providers. The core idea behind PSD2 is to increase transparency, support new innovations, and facilitate new players' entry to market.
GDPR, also referred to as the European data protection regulation, in turn defines the set of rules applied to handling data related to individuals that is collected for each of us.

Both projects have been written about extensively in recent years, but rarely have they been discussed together. What has been handled even less are the projects' core ideologies and impacts from the different players' perspectives.

From the viewpoint of a single citizen, it is basically about a digital identity, about who owns it, and about the behavioural rules for contact with our digital selves. Here, digital identity refers to the vision or projection that each of us forms. That is, all the data that the various market players such as social media services, banks, stores, and authorities collect about us. Nearly every company with a market value exceeding one billion dollars and founded in the past 15 years (for instance Uber, Airbnb, and even our very own Finnish gaming companies) base their business on commercialising our digital identities and utilising them to develop new innovative services. Traditionally data-centric operators such banks, insurance companies, and the retail trade got left behind in this race and now they are attempting to bridge the gap.

Individual ownership regarding PII data (Personally Identifiable Information) is clearly going to improve and increase through these legislative initiatives. As for companies, they face the requirement of revealing who & how & why their customers' data is being processed. PII data refers to data that can be identified with an individual, either directly or indirectly.

PSD2 enables, with certain conditions and the consumer's consent, disclosing bank account information and transactions between third parties. This will give birth to a wave of Fintech start-ups that will produce, for example, easy-to-use services enabling everyone to review their complete financial situation in one place and regardless of their bank.

In turn, GDPR will introduce new elements to the handling of PII data, such as "the right to forget" or "the right to transfer information". Thus the consumer can, if they so desire, ask the party processing the data - social media company, teleoperator, retail store - to turn over and/or "forget = destroy" any information related to the consumer.

The next two years will be extremely interesting to those market operators who possess and process a great deal of PII data. On the other hand, there has been much talk of how to meet the minimum requirements of the legislation to avoid sanctions, loss of reputation, or perhaps even real business loss. Then again, people have started to come up new business opportunities or even completely new markets to create around our digital identities.

The minimum requirement perspective is highly understandable - both legislations entail a large number of elements that can translate into major transformational projects, and not only for the companies' legal services but to all three parties in the classic "people, processes, technology" line of thought. Especially challenging, from the point of view of the two-year span, are the legislation-induced projects affecting changes to IT architectures. In this light, two years is a very short time indeed.

In terms of the GDPR this means, for example, going through all the company systems that handle PII data; re-thinking data collection and processing practices; and, most of all, finding a way that is as automated as possible to apply the operational policies to the various data sources in compliance with the new legislation. In companies, this will require seamless cooperation between the legal, corporate security, and IT teams.

As for PSD2, financial operators will have to create interfaces to bank account data through which third parties can - with consumer consent - build new innovative services. It goes without saying that information of this nature is PII data to the highest degree, and it is subjected to the normal GDPR requirements. In this respect one could think that for financial operators, these two legislations form a sort of natural tandem.

My own view is that all market players affected by this regulation must, as quickly as they can, form a snapshot of the minimum requirements, turn it into a project, and after that - if not at the same time - start digging into the new markets opened up via digital identities. If understood correctly this not only gives birth to new European "unicorns" but also provides each one of us as consumers with a stronger hold on the ownership of our "alter ego" in the digital world.