Article By: Talal Wazani, Manager Strategic Security Consulting at Help AG
The Middle East’s lack of understanding of the upcoming EU regulation is likely to place businesses across a wide range of sectors including cloud services, banking and finance, healthcare, insurance and tourism at significant risk.
While VAT compliance is currently top of mind for Middle East businesses, many are unaware of the implications of the General Data Protection Regulation (GDPR).
The European Union (EU) regulation aims at strengthening and unifying data protection for all EU citizens and is set to come into effect by May 2018.
The Importance of Data Privacy
Data is the lifeblood of business today, however, awareness about privacy among companies is relatively low.
This year, with Equifax, the security industry witnessed one of the largest breaches of highly sensitive personal information and the impact of such breaches will be borne by consumers for years to come.
The EU is taking the lead by penalizing companies with heavy financial penalties if they fail to comply with the regulation.
For businesses therefore, it is always better and less costly to prepare in advance, rather than face the fines and reputational damage later.
Why GDPR matters to the Middle East
Many regional organizations operate as subcontractors of European companies, conducting activities that include processing and supply of goods, delivery of services, and monitoring of customer behaviours through social media and data analytics.
Simply stated, any company, even one outside the EU, that is targeting consumers in the EU, will be subject to GDPR.
Although any organization processing the personal data of EU citizens is fully accountable to demonstrate compliance with GDPR, few are aware of their direct obligations.
Such responsibilities might include implementing technical and organizational measures and notifying protection authorities in the event of a data breach
Abiding with GDPR also includes acknowledging documented compliance, conducting data protection impact assessments for risky data processing activities, and implementing data protection by design in operational processes and as a culture among employees.
The GDPR will enforce penalties for breaches by imposing fines for violations of up to 4% of annual worldwide turnover of a company for a data breach and up to 2% of annual worldwide turnover for non-compliance.
In addition, the people affected by the data breach will be entitled to sue the company which failed to protect their data.
For years now, organizations have faced difficulties in identifying their critical data and where it resides throughout its lifecycle. This is step number one not only in GDPR compliance but also in defining a cyber-security strategy within an organization.
The most important activity an organization that intends to become GDPR compliant will need is to conduct is an exhaustive inventory of the data related to their business processes.
They will then have to either isolate EU citizens’ data from the rest or handle all data in compliance with the GDPR.
It will be a real challenge especially for multinational companies that might now have to consider building entirely new data storage systems just for EU data.
With cloud computing becoming an increasingly prevalent technology, another very important element of becoming compliant with GDPR will be to review the data and the protection clauses of third-part cloud storage and service partners.
A common mistake most businesses make with cyber security is to haphazardly invest in trendy technical solutions without focusing on their effective implementation and operation according to strategic roadmaps.
Of course, a key success factor in the GDPR compliance journey is to have a Data Protection Officer (DPO) or professional who can support the organization in realizing its strategic data protection roadmap.