Dr. Angelika Eksteen, the Chief Strategic Officer at Help AG underlines the challenges on the road ahead concerning data protection in the region, especially in the wake of the implementation of EU’s GDPR regulations in next few weeks.
With less than a month to go before implementation of the European Union’s General Data Protection Regulation (GDPR), Help AG has warned that the large majority of Middle East organisations are woefully unaware of its implications due to widespread lack of understanding. In particular, the cyber security firm has warned that the definition of ‘data subjects’− the people whose data is protected by the new regulation− is often misinterpreted by regional businesses, thereby leaving them ill prepared to comply with the GDPR or even exposed to business risk.
Help AG is currently working with some of the region’s largest organisations from the telecom, government, and banking and finance sectors to help them understand GDPR and achieve compliance. This work, combined with meticulous review of the framework by Help AG’s strategic consultancy division has uncovered that the GDPR will apply to all companies storing or processing data of people being in the EU. This challenges the widely held misconception that the regulation only applies to the data of EU citizens and therefore has far reaching consequences for businesses across the globe. Dr. Eksteen, attributes this lack of clear understanding to the fact that a lot of the information available from the internet or even reputed sources is either incomplete or wrong.
Explaining the impact this misinterpretation could have on Middle East businesses, she said, “This is quite simple− if a Middle East business stores or processes data of any individual who might be in the EU at some time, they should prepare for GDPR compliance. As it is virtually impossible to rule out the possibility of a person travelling to the EU at some point in time, all Middle East businesses storing or processing personal data should prepare for compliance with GDPR.”
Key measures to complying with the GDPR are the lawful processing of personal information, affording individuals the ‘right to be forgotten’ and to access their personal data, implementing ‘privacy by design’ rather than as an afterthought when developing new products and services, registering with a data protection agency, and the appointment of a Data Protection Officer (DPO).
Dr. Eksteen said, “While fulfilling all these criteria may appear to be a daunting task, organisations need to understand the business risk of failing to meet requirements. This could mean losing or terminating business partnerships with EU-based companies, and even the possibility of heavy financial penalties and the associated reputational damage.”
As a first step, she recommends achieving compliance with long-standing industry standards that include ISO/IEC 27552, ISO/IEC 27001 and all related applicable standards, ISO/IEC 19944:2017, ISO/IEC 38505-1:2017, and ISO/IEC DIS 20889.
Depending on the risk assessment carried out within their organisations, IT teams might also need to implement security solutions such as data loss prevention (DLP), monitoring, digital forensics, and other technologies that are essential to the security needs of their market vertical.
“As the frequency of cyber-attacks continues to rise, organisations must focus on data protection to safeguard their business, rather than to simply comply with frameworks such as the GDPR. Instead of viewing the regulation as a business limitation, businesses could use it as a potential means to forge long-term relationships with their customers, based on trust and transparency,” she concluded.
Dr. Angelika Eksteen is a cyber security consultancy expert with over 17 years of experience in the implementation of management system standards such as ISO/IEC 27001, ISO 22301, ISO/IEC 20000-1 and local UAE standards.
She has been involved in information security standardisation in ISO/IEC JTC 1/SC 27, which is a group dealing with the ISMS standards. Dr. Eksteen has successfully completed the editorship of the world-wide standards ISO/IIEC 27001:2013 and ISO/IEC 27002:2007 and of several other standards dealing with risk management and control selection.