It is almost here. May 25, 2018 – this is the impending date when the European Union will start enforcing its General Data Protection Regulation or GDPR standardized across all 28 EU countries. This data protection law imposes strict new rules on controlling and processing personal data by significantly improving transparency and giving control back to EU residents. However, the impact of enforcing this regulation is far and wide, beyond the EU geography.
GDPR applies to every organization around the world that collects or processes data on residents domiciled within the EU, including permanent residents, visitors and expatriates. Many organizations in the Middle East operate as subcontractors of European companies, conducting activities that include processing and supply of goods, delivery of services, and monitoring of customer behaviours through social media and data analytics. So any non-European based organization that processes an EU citizen’s data, needs to be compliant with GDPR. This means that once GDPR becomes effective in May, many EU organizations will be highly selective of the partners they chose to work with as many Middle East companies will face significant compliance challenges.
“The EU continues to have strategic partnerships with several nations in the Middle East, and the volume of trade that occurs between them will not suffer as a result of GDPR. However, should enterprises choose not to comply with regulations, it could negatively impact their operations. Entities in the EU may decide against conducting business with external parties unless they are fully compliant,” states Hadi Jaafarawi, Managing Director, Middle East, Qualys.
There are a number of essential items under the terms of this regulation including increased fines, breach notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the impact to businesses is huge and will permanently change the way customer data is collected, stored, used, accessed, transferred and deleted.
Jos Beernink, Vice President Sales –EMEA, Genetec highlights that GDPR reinforces an organization’s adoption of best practices and a number of regional companies have already started the process to comply with GDPR. “It will also strengthen business compliance with local laws such as Dubai International Financial Centre (DIFC) Data Protection Law, Abu Dhabi Global Market’s Data Protection Regulations, and the Qatar Personal Privacy Protection Law. For all its intents and purposes, GDPR has far wider benefits that are much needed in this day and age,” he adds.
Achieving compliance is important, as the EU will enforce significant financial penalties that could cost organizations fines for violations of up to 4% of annual worldwide turnover of a company for a data breach and up to 2% of annual worldwide turnover for non-compliance. In addition, the people affected by the data breach will be entitled to take legal action against the company which failed to protect their data.
“GDPR focuses on data belonging to EU nationals, hence it is critical for organisations to undertake a detailed data discovery exercise to understand the flow of EU national data across their IT systems and physical storage landscape,” explains Austin Kuruvilla, GDPR Consultant, Paladion.
As a GDPR consultant, Paladion recommends that organisations undertake a phase-wise approach, including Data Discovery and Data Protection Impact Assessment (DPIA), Control Framework Design and Roadmap Preparation, Control Implementation and Internal audit. “The internal audit allows organisations to assess the final level of compliance with regards to GDPR requirements,” adds Kuruvilla.
According to Talal Wazani, Manager Strategic Security Consulting at Help AG, the most important activity an organization that intends to become GDPR compliant will need is to conduct is an exhaustive inventory of the data related to their business processes. “Organisations will have to either isolate EU citizens’ data from the rest or handle all data in compliance with the GDPR. This will be a real challenge especially for multinational companies that may have to consider building entirely new data storage systems just for EU data.”
With cloud computing becoming an increasingly prevalent technology, another very important element of becoming compliant with GDPR will be to review the data and the protection clauses of third-part cloud storage and service partners, adds Wazani of Help AG.
This is why Mimecast provides customers with cloud-based solutions to enhance their cyber resilience, which includes GDPR compliance. Brian Pinnock, Regional Manager of Sales Engineering, Mimecast MEA, adds that organizations need to think beyond traditional, defense-only security to adhere to global data regulations like GDPR. “Under GDPR, all firms must take appropriate organizational and technical measures to protect the personal data of their customers, employees, and business partners. Making sure that emails are secure is a crucial part of any business’ risk management strategy.”
“GDPR’s looming deadline is shining a bright spotlight on a foundational requirement of InfoSec best practice, which is a comprehensive IT asset inventory. Organizations can’t expect to be compliant if they lack visibility into the hardware and software that they’re using to process, transmit, analyze and store data governed by GDPR,” explains Jaafarawi.
Kuruvilla adds that it is important to understand that GDPR compliance is not a one-time activity. Organizations should be capable of demonstrating compliance to GDPR, when requested by the supervisory authority. This requires continuous monitoring and evaluation of the effectiveness of controls. “Paladion can provide subject matter advisory support, as well as an activity calendar detailing the activities required for sustaining the compliance and certification,” he adds.
Last year we saw an array of data breach incidents that swayed even giants like Equifax, Gmail, Uber, eBay, Forever 21, etc., leaving personal and sensitive information of millions of people exposed in its wake. This has necessitated the need to protect personal data and to reshape the way organizations approach data privacy.
The far-reaching effects of GDPR will be felt not only in Europe but also in the Middle East region where many international businesses have set up shop. Therefore, it is in the best interest of regional organizations to adopt GDPR because of its substantial impact on their operations. Without doubt the measures required to follow GDPR’s guidelines are well worth the investment especially when the alternative is facing fines amounting to millions of dollars.