Organisations collecting and handling data from the EU citizens are expected comply with the strict new General Data Protection Regulation. Compliance will cause some concerns and new expectations from security teams. Rashmi Knowles, field CTO, EMEA, RSA, discusses how the new regulation will impact Middle East firms and how they can prepare for it.
One of the most important topics being discussed in the cybersecurity industry today is GDPR, can you give a brief background on what it is exactly about and how it works?
The General Data Protection Regulation will take the place of the EU Data Directive when it comes into force next year.
Now, how the Directive differs from GDPR is that the first one is practically a set recommendations EU organisations can follow and base their data protection policies from. Meanwhile, the GDPR is a law, which means all organisations across all member states are required to adhere to it.
The new rules grant people more rights regarding how companies handle their personally identifiable information (PII). The goal is to protect EU citizens and their data and harmonise data protection law across the EU member states.
Non-compliance with GDPR entails having to pay significant fines. The new regulation will require organisations to report any kind of breach to the authorities within 72 hours of being aware of it. This will also push organisations to invest in resources to come up with a more efficient and effective detection and response plan.
The definition of breach is also defined differently in GDPR. Historically, we see a breach as an incident wherein someone has come into our networks to steal data. Under the GDPR regulation, a breach could also mean non-availability of data. It focuses on how organisations can ensure the confidentiality, availability and integrity of their customers’ and employees’ data.
Another important aspect of GDPR is ‘Subject Access Rights,’ which means that citizens from all 26 states can go to the organisations that handle their data and demand access said data to review it, change it or even delete it.
From a process perspective that can be a challenge for organisations.
Why should Middle East firms be concerned about GDPR?
Well GDPR, first and foremost, is focused on protecting the data of EU citizens. About 80 percent of the UAE’s workforce are non-Emiratis. A big part of that workforce is EU citizens, which means that any company in the region that has access to the data of these people, whether they are customers or employees will have to comply with GDPR. This also applies to any organisation that has operations in any EU nation.
In addition, the DIFC Authority has recently said that they will incorporate the EU data protection law in their best practices recommendations for UAE organisations.
I believe that in the future other countries will also be incorporating aspects of the GDPR into their own policies, regulations and recommendations.
At a regional level, do you believe organisations here in the region are already on the right track when it comes implementing best practices for data protection?
Data protection law in Middle East countries has obviously already been around for a very long time. However, when it comes to GDPR there is still a lot of education that needs to be done. In my conversations with several businesses from the region, I found that there are a number of them who are unaware as to whether they are in scope or not. What they need to understand is that just because they don’t have operations in a European country they are not in scope. They need to know that as long as they are handling data of EU citizens they will need to adhere to GDPR to some extent.
For organisations that need to adhere to GDPR, how should they prepare?
There are very simple steps in getting ready for GDPR.
Firstly, they need to have a proper understanding of what data handle and what kind of risks can be associated with those data. A part of GDPR is also about consent, which means that the best practices should be applied across the whole life cycle of a customer’s data from collection to storage.
Identity and access management are also critical for GDPR. You need to know not only who has access to that data but also if they are the right people to who should be opening or retrieving the information.
Education is also important. You will have to ensure that employees within your organisation are well-aware of how they should protect the data they have, the implications should a breach occur and how they can recover from it.
Last and probably the most important one, is incident detection and response. The faster an organisation can detect and mitigate a threat the more time they have to investigate the incident and prepare the breach notification within the 72-hour deadline set by the GDPR.