New EU regulations: More security, more competition and wider choice for consumers
2018 is promising to be a year bustling with new, some unprecedented, regulations around cyber security, data protection and fraud prevention. Two of the major legislations are the General Data Protection Regulation (GDPR) and the Second Payment Service Directive (PSD2), and will come into force in 2018.
To talk about the implications of these new rules for corporations, Neira Jones, Non-Executive Director at Nasdaq listed cyber security company Cognosec, joined Jeremy Naylor from IG.com in offering professional insight on how companies should prepare for these changes.
Despite Brexit, The EU GDPR will apply to Britain post 2019. Neira clarifies that the GDPR aims above all to protect EU citizens’ information. This means that any organisation handling European consumer data needs to comply with the GDPR, regardless of where they are based.
The same applies for the PSD2. In fact, within the PSD2 directions, article 94 specifies that businesses must comply with the GDPR, signaling many synergies in the EU data protection and privacy regulatory landscape.
Non-compliance with the GDPR may result in fines of up to 20 million euros (or 4% of annual turnover). Both the GDPR and PSD2 could also mean significant overhaul of businesses infrastructure and operations. But how can companies ensure they meet these new requirements? Neira advises organisations to understand first what EU citizen information they handle and how/where it is processed and stored. For example, Neira praised British pub chain JD Wetherspoons for their bold move in deleting their entire customer email marketing database in order to build a new one that complies with all the points of the GDPR, especially under the concept of “Consent”. She added that she believed many would follow suit, especially in the retail and hospitality space.
As cyber-attacks become more and more frequent, corporations need to assess their cyber security strategies. Breaches are inevitable; the key is in how fast you respond and protect your systems, said Neira. In critical infrastructure organisations, for example the banking, telecoms and payments sector, there are even more stringent rules on incident response and disclosure – such as the NIS Directive (Network and Information Security Directive), which comes into force at around the same time.
Indeed, whilst a breach at a single retailer will affect that retailer’s customers, payments providers attacks are ‘significantly more dangerous and more acute’ due to the amount of sensitive data they handle and the number of B2B customers they supply, they in turn having large numbers of individual customers. Both regulations place great emphasis on preserving the integrity the supply chain.
On a different point, banks are always looking deeply into security and new technologies and have been experimenting with cryptocurrencies and blockchain infrastructures, although very few concrete steps (in the consumer market) have been taken in this direction so far. Neira highlights Secure Trading’s research into the security aspect of blockchain as a leading and forward- thinking payment processor.
Hyper connectivity is having a global impact and technology-driven innovation is forcing business and regulations to adapt and catchup to a new environment and a more demanding customers.
“Regulations and standards are numerous in the payments industry, which can be overwhelming, therefore it is recommended that businesses take a holistic approach to regulatory requirements.” Neira advised companies to look for support with compliance. “Automation has become necessary and this has created a new industry: regtech”
For businesses to succeed, Neira said they should: avoid regulatory silos, put customers at the centre of the strategy, understand that a security and risk management strategy is necessary and understand that automation can be of great help (regtech). “This is the path to become true digital players” said Neira.