It is important to remember that the scope of this regulation is not only territorial, but it is also designed to protect the data of Europeans wherever they reside. This means that any companies or organisations operating with these types of data shall also be obligated to comply with the GDPR.
To begin with, let’s consider some of the key details to be taken into account:
- Enforcement date: May 2018.
- Aim: to protect the privacy of European citizens through the protection of their personal data. In order to achieve this, decisions will have to be taken at the organizational, technical and technological levels.
- What is personal data? According to Article 4 of the regulation, “it is personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
- Scope: all manner of public and private organisations (including those of a scientific nature, such as universities and laboratories).
- Consent: it must be possible to demonstrate consent to data processing; therefore, consent by default is no longer valid.
- Penalties: the maximum fine for data breach is 4% of global turnover or €20 million.
- Transparency: in the event of a data breach, it is mandatory for organisations to notify its occurrence, the data that has been affected and its consequences within 72 hours. Evidence will also be required of the measures taken to mitigate such breach.
- FAQ: https://www.eugdpr.org/gdpr-faqs.html
- Regulation download: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
With respect to enforcement of the regulation, a word must be said about the appearance on the scene of two very important players and whom the regulation defines in its article 4 as:
- Data Processor: “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. An example of a "data processor" would be a cloud service provider where personal data can be hosted at any given time.
- Data Controller: “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. They are, therefore, any organisations that are going to give a specific use to these data.
How does the GDPR affect the areas of cybersecurity and online fraud?
The cybersecurity industry acquires special prominence given its ability to deploy all kinds of measures that prevent the impact of the different threats that may affect data that require protection.
The industry finally got off the ground in 2018, not only on account of this new regulation, but also because different international bodies, such as the World Economic Forum, already regard a cyberattack as one of the severest threats at the global level.
In fact, according to the latest ENISA report, the 15 most frequent cyberthreats faced in 2017 include several relating to data leakage and to identity theft, such as, for example, phishing and spam campaigns to obtain banking credentials. Thus, although complying with the GDPR may seem tedious, it represents an excellent opportunity for organisations.
Any data and/or identity theft implies a risk and even more so when these data are related to an account or card number that may make the robbery of money through their fraudulent use in online banking easier.
In this respect, it is important to remember that the backdrop of this regulation contemplates the need for organisations to foresee a good risk management strategy that serves to apply suitable measures in the entire life cycle of cyberthreats. The simple purchase, therefore, of cybersecurity tools does not ensure, per se, compliance with the law, since, if the organisation has not analysed the threats in depth, part of the process may be left unprotected. Hence, the regulation stresses both layers of security: organisational and technical.
It must not be forgotten that the regulation requires adoption of all necessary measures to prevent the impact of the threat; therefore, a good strategy will enable blind spots to be discovered that may not have been foreseen.
Once the strategy has been formulated, it will be easier to determine the portfolio of services and tools that are needed to implement it and, what is most important, to protect our users.
It is at this point where new technologies, such as behaviour biometrics and deep learning provide the most effective and efficient solutions. This is especially relevant with respect to online banking fraud, where the handling of extremely sensitive data may result in the theft of a client’s money or in the highest fine due to non-compliance with the GDPR.
These new technologies have emerged precisely to address new criminal problems and, by extension, to make it easier for data controllers to do their jobs and/or, at the very least, to demonstrate that all the measures within their reach have been adopted to mitigate them.
To sum up, in this way, the cybersecurity industry has become one of those most affected by the GDPR, as it will be responsible for protecting organisations’ data properly. But, in tandem, the regulation itself drives serious reflection on the measures and tools that will lead to greater protection and offer a better service to citizens.