2018/2019 Edition of the Global Regulatory Update

Treasury and Trade Solutions 52 • The legal ground for Account Servicing Payment Service Providers (ASPSPs) to process personal data for Payment Initiation Services (PIS) and Account Information Services (AIS) purposes is compliant with a legal obligation under PSD2. Implications and issues to consider: Although the GDPR is presented as a tightening of existing themes rather than a fundamental revision, it is hard to believe that it won’t have a significant impact on corporates. Corporates should continue to focus on compliance with the Regulation. Most companies outsource functions across their business, e.g., payroll, expenses and travel, data storage, and all of these will now have to be compliant with the new regulations. Coupled with the significantly enhanced breach notification requirement and a sanctions regime with real teeth, we think privacy and data protection will be moving up the agenda of management teams. Next steps: The GDPR takes effect on 25 May 2018. In the run up, guidance is being prepared by the Article 29 Working Party, ICO and other E.U. data protection authorities which the financial services industry is responding to.