On 25th May the General Data Protection Regulation is set to kick in and while European businesses are the primary target of this new law, its impact will be felt by organisations in regions outside the EU bloc. Are Middle East firms ready for GDPR?
Data has become one of the most valuable assets of businesses of all sizes, which makes data protection now more important than ever.
Over the last two decades, the way we generate and handle data have changed dramatically. Subsequently, we have also seen cyber breaches make headlines left, right and centre across the globe. Among the latest incidents that came to light is the Facebook data breach, which exposed the information of over 87 million users.
The implementation of GDPR, according to regulators, is vital to protect consumers in an era of huge cyber-attacks and data leaks. It also aims to strengthen the control that individuals have over their data and to improve transparency about how that data is processed. It also seeks to facilitate business by simplifying rules for companies in the digital single market.
GDPR replaces the current EU Data Protection Directive, 95/46/EC, which every EU country has implemented at country level. As a regulation, it will automatically apply to every EU member state from the effective date. However, the new regulation will not only affect companies within the EU, its impact will also be felt by businesses in other regions including the Middle East. Non-compliance could cost organisations penalties upwards of $24 million (EUR 20 million) or four percent of the firm’s yearly revenue worldwide, whichever is higher.
Brian Chappell, senior director, Enterprise and Solution Architecture, BeyondTrust, explains that GDPR applies to any organisation that collects and/or processes data of EU residents irrespective of purpose and location.
“It affects organisations all over the world,” says Chappell. “If you operate a website that takes online orders from EU residents; ship goods to EU countries for either your firm or as a third-party organisation; or operate a service that processes information of EU customers – GDPR applies to you.”
GDPR is also designed to protect the owners of data as it requires organisations to demonstrate that they have proper controls over processing and securing information including how it used, stored, updated, accessed, transferred and deleted.
“It positions data protection and security as something that’s done by design and default,” adds Chappell. “Security cannot remain an add-on or an afterthought.”
However, with the deadline fast approaching, many organisations including those in the Middle East are yet to begin the processes to comply with GDPR, risk lagging behind and potentially facing hefty penalties.
A NetApp study revealed that only 35 percent surveyed EMEA firms are confident that they know where all their data are stored, which is quite alarming. Fadi Kanafani, regional director, Middle East and Africa, NetApp, explains, “The level of awareness on the implications of the GDPR deadline is relatively low in the region and that could be the major reason behind the slow pace of activities aimed at ensuring compliance.”
In addition, while there are plenty of literature on GDPR available through the Internet and even from reputed sources, these are oftentimes incomplete. Dr. Angelika Eksteen, chief strategic officer, Help AG, says this results to Middle East organisations being woefully unaware and, therefore, ill-prepared for GDPR.”
Dr. Eksteen notes, that more than the financial penalties, a company’s non-compliance could also hinder any plans of establishing partnerships with EU-based firms, once GDPR is fully enforced. “People affected by any future data breach will be entitled to sue the company which failed to protect their data,” she says. “Therefore, many organisations will be highly selective of the partners they work with whether it be in the Middle East or in other parts of the world.”
Next steps for Middle East organisations
Compliance might appear a daunting task for organisations, but it is not too late to begin to get ready.
There is still time to put in place an action plan and timeline for developing and implementing a GDPR compliance programme; including the changes needed to practices, key documents, processes and procedures.
“Organisations will need to assess their current level of compliance, fortify their systems and roll out the infrastructure,” says Khanafani from NetApp. “Companies in the UAE do not shy away from investing in robust IT infrastructure and that will be an advantage in navigating this challenge.”
GDPR should be driven in a top-down approach, according to Austin Kuruvilla, senior GDPR consultant, Paladion. “The new regulation supplements existing measures in the Middle East that many corporates in the region adopt as a matter of good practice or to comply with local regimes, such as the DIFC Data Protection Law, Abu Dhabi Global Market’s Data Protection Regulations and the Qatar Personal Privacy Protection Law.
“Organisations should look at GDPR as an opportunity to put in place data security practices, strategies and policies to enhance security,” he adds.
With GDPR’s wide-ranging scope and impact, it is vital for organisations to implement a holistic plan and go beyond conventional security measures.
“Email security is one of the biggest threat vectors for any organisation,” says Bian Pinnock, regional manager, Sales Engineering, Mimecast MEA.
“By its very nature, emails contain personal data and are especially vulnerable to cybercriminal exploits. However, GDPR compliance requirements extend well beyond email-centric security and operations and involve privacy and governance processes wherever personal data is stored or processed such as databases, CRM systems, ERP platforms. Email security and management is only part of the story and all organisations need to consider this when reviewing their current systems and processes.”
Harish Chib, vice president, Sophos MEA, says that like all security and compliance measures, the best way to prepare for GDPR is to understand its potential risk exposure. “For the many organisations that must comply with the new legislation, they should plan a solid data protection strategy that guards against loss of data whether through malicious or accidental method,” he explains.
“Securing against these threats is a great place to begin. We recommend these three steps to achieve this: stop the causes of data loss – implement solutions against malware and ensure the security of data residing in various devices; stop threats at the door – implement multi-layered security strategies, and reduce human error – encrypt individual files and reduce access to sensitive files.”
Much like technology, data security is evolving and today’s businesses should continuously innovate to adapt. Following GDPR will also enable organisations better understand the value of their data and more importantly cultivate customer trust.
