Experts in cybersecurity and higher education warn about the risks of relying on technology without human oversight and call for integrating privacy by design.
Data protection is not just a legal obligation but a fundamental right and a key element in building a sustainable digital economy. This was stated by Gonzalo de la Poza García, Corporate Security Manager at acens, during a presentation held on April 10 at European University of Madrid (UEM), focusing on the General Data Protection Regulation (GDPR) and its practical application in technology organizations.
De la Poza emphasized that the GDPR should not be understood solely as a compliance regulation but as a framework that protects people in the data age. “The processing of personal data—including sensitive data such as health or biometric information—requires strict security measures, absolute confidentiality, and transparency toward the user,” he explained. He reiterated that roles such as the Data Subject, Controller, Processor, and Third Parties must be clearly defined and understood within any organization that handles data.
One of the most critical points discussed was security breaches. Any loss or unauthorized access to data must be reported to the competent authority within a 72-hour timeframe, and to those affected if the risk is high. Penalties for non-compliance can reach up to 20 million euros or 4% of annual revenue, depending on the severity.
The role of the Data Protection Officer (DPO) was another highlighted aspect. This position serves as a guarantor of compliance, but the ultimate responsibility lies with the company. De la Poza insisted that the entire organization must be involved: “Protecting data is a shared task, not just the responsibility of legal or IT teams.”
FinTech and Big Data: When Volume Doesn’t Exempt Privacy
Next, Edith Macedo, a professor of the Big Data and FinTech module at UEM, and Hubert Joo Kitano, Director of the Master’s in Financial Management, shared insights from the educational sector. Both agreed that Big Data is not exempt from the GDPR, and as the volume of information handled increases, so does the responsibility.
Macedo cited collaborative platforms like Airbnb, where the anonymization of personal data (such as exact location or host identity) has become the norm due to regulation. “The GDPR has compelled us to rethink how information is presented to the user and which data is truly necessary,” she said.
Kitano focused his remarks on the FinTech sector, which is one of the most intensive in handling financial and personal data. “The sustainability of a FinTech relies on trust. That trust can be shattered by a single security breach,” he warned. He added that data such as income, debts, investment decisions, or biometrics are extremely sensitive, and misuse can lead to fraud, discrimination, or poor credit practices.
Both professors concurred that the most underestimated risk remains the human factor. “Technology can fail, but many breaches occur due to human errors or lack of training,” they stated. Therefore, they emphasized that education on data protection should be an integral part of the curriculum for future professionals in the technology and finance sectors.
Privacy by Design
The main conclusion shared by acens and UEM was the necessity to integrate data protection from the design stage of any digital initiative, especially in sectors like FinTech, where reputation is everything. The Data Protection Department and the role of the DPO must be structural elements, not afterthoughts.
“Technology advances, but it cannot do so without ethics or regulation. And protecting data is about protecting people,” the speakers concluded.
via: acens blog