GDPR - Costly Restriction or New Business Opportunity?
By: Talal Wazani, Manager Strategic Security Consulting at Help AG
While VAT compliance is currently top of mind for Middle East businesses, many are unaware of the implications of the General Data Protection Regulation (GDPR). The European Union (EU) regulation aims at strengthening and unifying data protection for all EU citizens and is set to come into effect by May 2018. With just over six months till its implementation, there is still much confusion about the applicability of GDPR to organizations outside the EU that process and control data of EU citizens. Unfortunately, this places Middle East businesses of all sizes and across diverse verticals including cloud services, banking and finance, healthcare, insurance and tourism at significant risk.
The Importance of Data Privacy
Data is the lifeblood of business today. However, awareness about privacy among companies is relatively low and there are early warning signs that Middle East businesses are not prepared to handle the deluge of personal data.
This year, with Equifax, the security industry witnessed one of the largest breaches of highly sensitive personal information and the impact of such breaches will be borne by consumers for years to come. The importance of safeguarding personal data cannot be neglected. The EU is taking the lead by penalizing companies with heavy financial penalties if they fail to comply with the regulation. For businesses therefore, it is always better and less costly to prepare in advance, rather than face the fines and reputational damage later.
Why GDPR Matters to the Middle East
Many regional organizations operate as subcontractors of European companies, conducting activities that include processing and supply of goods, delivery of services, and monitoring of customer behaviours through social media and data analytics. Simply stated, any company, even one outside the EU, that is targeting consumers in the EU, will be subject to GDPR.
Although any organization processing the personal data of EU citizens is fully accountable to demonstrate compliance with GDPR, few are aware of their direct obligations. Such responsibilities might include implementing technical and organizational measures and notifying protection authorities in the event of a data breach. Abiding with GDPR also includes acknowledging documented compliance, conducting data protection impact assessments for risky data processing activities, and implementing data protection by design in operational processes and as a culture among employees.
The GDPR will enforce penalties for breaches by imposing fines for violations of up to 4% of annual worldwide turnover of a company for a data breach and up to 2% of annual worldwide turnover for non-compliance. In addition, the people affected by the data breach will be entitled to sue the company which failed to protect their data. Therefore, once the GDPR becomes effective in 2018, many EU organizations will be highly selective of the partners they chose to work with as many Middle East companies will face significant compliance challenges.
For years now, organizations have faced difficulties in identifying their critical data and where it resides throughout its lifecycle. This is step number one not only in GDPR compliance but also in defining a cyber-security strategy within an organization.
The most important activity an organization that intends to become GDPR compliant will need is to conduct is an exhaustive inventory of the data related to their business processes. They will then have to either isolate EU citizens’ data from the rest or handle all data in compliance with the GDPR. It will be a real challenge especially for multinational companies that might now have to consider building entirely new data storage systems just for EU data.
With cloud computing becoming an increasingly prevalent technology, another very important element of becoming compliant with GDPR will be to review the data and the protection clauses of third-part cloud storage and service partners.
A common mistake most businesses make with cyber security is to haphazardly invest in trendy technical solutions without focusing on their effective implementation and operation according to strategic roadmaps. At Help AG, we recommend using a practical approach, and adapting the company’s existing security technologies in line with GDPR frameworks. A holistic approach to data inventory, initial compliance analysis and risk assessment, can help businesses optimize their budgets, focusing on the protection of critical data and minimizing related risks.
Of course, a key success factor in the GDPR compliance journey is to have a Data Protection Officer (DPO) or professional who can support the organization in realizing its strategic data protection roadmap. GDPR compliance will require the DPO to have not only broad knowledge of security technologies and interpretation of the regulation requirements, but also keen awareness of legal and human resources.
The GDPR is definitely a turning point in attitudes and an opportunity to put businesses at the forefront of data protection, enabling them to build trust with customers. As the frequency of cyber-attacks continues to rise, organizations must focus on data protection to safeguard their business rather than to simply comply with frameworks such as the GDPR.
Instead of viewing the regulation as a business limitation, companies should consider it as an opportunity that can help them redefine the marketing landscape. The GDPR can be used by organizations that deal with sensitive information as a potential means to forge long-term relationships with their customers, based on trust and transparency.