European Union’s GDPR regime will impact the region
The Middle East’s lack of understanding of the upcoming EU regulation is likely to place businesses across a wide range of sectors including cloud services, banking and finance, healthcare, insurance and tourism at significant risk While VAT compliance is currently top of mind for Middle East businesses, many are unaware of the implications of the General Data Protection Regulation. The European Union regulation aims at strengthening and unifying data protection for all EU citizens and is set to come into effect by May 2018.
With just over six months till its implementation, there is still much confusion about the applicability of General Data Protection Regulation to organisations outside the EU that process and control data of EU citizens. Unfortunately, this places Middle East businesses of all sizes and across diverse verticals including cloud services, banking and finance, healthcare, insurance and tourism at significant risk.
Data is the lifeblood of business today. However, awareness about privacy among companies is relatively low and there are early warning signs that Middle East businesses are not prepared to handle the deluge of personal data.
This year, with Equifax, the security industry witnessed one of the largest breaches of highly sensitive personal information and the impact of such breaches will be borne by consumers for years to come. The importance of safeguarding personal data cannot be neglected.
The EU is taking the lead by penalising companies with heavy financial penalties if they fail to comply with the regulation. For businesses therefore, it is always better and less costly to prepare in advance, rather than face the fines and reputational damage later.
Many regional organisations operate as subcontractors of European companies, conducting activities that include processing and supply of goods, delivery of services, and monitoring of customer behaviour through social media and data analytics. Simply stated, any company, even one outside the EU, that is targeting consumers in the EU, will be subject to General Data Protection Regulation.
Although any organisation processing the personal data of EU citizens is fully accountable to demonstrate compliance with General Data Protection Regulation, few are aware of their direct obligations. Such responsibilities might include implementing technical and organisational measures and notifying protection authorities in the event of a data breach.
Abiding with General Data Protection Regulation also includes acknowledging documented compliance, conducting data protection impact assessments for risky data processing activities, and implementing data protection by design in operational processes and as a culture among employees.
The General Data Protection Regulation will enforce penalties for breaches by imposing fines for violations of up to 4% of annual worldwide turnover of a company for a data breach and up to 2% of annual worldwide turnover for non-compliance. In addition, the people affected by the data breach will be entitled to sue the company which failed to protect their data.
For years now, organisations have faced difficulties in identifying their critical data and where it resides throughout its lifecycle. This is step number one not only in General Data Protection Regulation compliance but also in defining a cyber-security strategy within an organisation.
The most important activity an organisation that intends to become General Data Protection Regulation compliant will need to conduct is an exhaustive inventory of the data related to their business processes. They will then have to either isolate EU citizens’ data from the rest or handle all data in compliance with the General Data Protection Regulation. It will be a real challenge especially for multinational companies that might now have to consider building entirely new data storage systems just for EU data.
With cloud computing becoming an increasingly prevalent technology, another very important element of becoming compliant with General Data Protection Regulation will be to review the data and the protection clauses of third-part cloud storage and service partners.
A common mistake most businesses make with cyber security is to haphazardly invest in trendy technical solutions without focusing on their effective implementation and operation according to strategic roadmaps. A holistic approach to data inventory, initial compliance analysis and risk assessment, can help businesses optimise their budgets, focusing on the protection of critical data and minimising related risks.
Of course, a key success factor in the General Data Protection Regulation compliance journey is to have a Data Protection Officer or professional who can support the organisation in realising its strategic data protection roadmap. General Data Protection Regulation compliance will require the Data Protection Officer to have not only broad knowledge of security technologies and interpretation of the regulation requirements, but also keen awareness of legal and human resources.
The General Data Protection Regulation is definitely a turning point in attitudes and an opportunity to put businesses at the forefront of data protection, enabling them to build trust with customers. As the frequency of cyber-attacks continues to rise, organisations must focus on data protection to safeguard their business rather than to simply comply with frameworks such as the General Data Protection Regulation.
Instead of viewing the regulation as a business limitation, companies should consider it as an opportunity that can help them redefine the marketing landscape. The General Data Protection Regulation can be used by organisations that deal with sensitive information as a potential means to forge long-term relationships with their customers, based on trust and transparency.
Middle East businesses playing the role of supplier to European Union enterprises will need to be GDPR compliant writes Talal Wazani at Help AG.