In a few weeks’ time, Europe will be activating the new General Data Protection Regulation (GDPR), which aims to harmonize personal data processing in member countries in order to protect the privacy of European citizens.
It is important to remember that the scope of this regulation is not only territorial, but it is also designed to protect the data of Europeans wherever they reside. This means that any companies or organisations operating with these types of data shall also be obligated to comply with the GDPR.
To begin with, let’s consider some of the key details to be taken into account:
With respect to enforcement of the regulation, a word must be said about the appearance on the scene of two very important players and whom the regulation defines in its article 4 as:
The cybersecurity industry acquires special prominence given its ability to deploy all kinds of measures that prevent the impact of the different threats that may affect data that require protection.
The industry finally got off the ground in 2018, not only on account of this new regulation, but also because different international bodies, such as the World Economic Forum, already regard a cyberattack as one of the severest threats at the global level.
In fact, according to the latest ENISA report, the 15 most frequent cyberthreats faced in 2017 include several relating to data leakage and to identity theft, such as, for example, phishing and spam campaigns to obtain banking credentials. Thus, although complying with the GDPR may seem tedious, it represents an excellent opportunity for organisations.
Any data and/or identity theft implies a risk and even more so when these data are related to an account or card number that may make the robbery of money through their fraudulent use in online banking easier.
In this respect, it is important to remember that the backdrop of this regulation contemplates the need for organisations to foresee a good risk management strategy that serves to apply suitable measures in the entire life cycle of cyberthreats.
The simple purchase, therefore, of cybersecurity tools does not ensure, per se, compliance with the law, since, if the organisation has not analysed the threats in depth, part of the process may be left unprotected. Hence, the regulation stresses both layers of security: organisational and technical.
It must not be forgotten that the regulation requires adoption of all necessary measures to prevent the impact of the threat; therefore, a good strategy will enable blind spots to be discovered that may not have been foreseen.
Once the strategy has been formulated, it will be easier to determine the portfolio of services and tools that are needed to implement it and, what is most important, to protect our users.
It is at this point where new technologies, such as behaviour biometrics and deep learning provide the most effective and efficient solutions. This is especially relevant with respect to online banking fraud, where the handling of extremely sensitive data may result in the theft of a client’s money or in the highest fine due to non-compliance with the GDPR.
These new technologies have emerged precisely to address new criminal problems and, by extension, to make it easier for data controllers to do their jobs and/or, at the very least, to demonstrate that all the measures within their reach have been adopted to mitigate them.
To sum up, in this way, the cybersecurity industry has become one of those most affected by the GDPR, as it will be responsible for protecting organisations’ data properly. But, in tandem, the regulation itself drives serious reflection on the measures and tools that will lead to greater protection and offer a better service to citizens.