EDITOR’S COMMENT
European Union’s GDPR
regime will impact the region
Middle East businesses playing the role of supplier to
European Union enterprises will need to be GDPR compliant
writes Talal Wazani at Help AG.
T
he Middle East’s lack of
understanding of the upcoming
EU regulation is likely to place
businesses across a wide range of sectors
including cloud services, banking and
finance, healthcare, insurance and tourism
at significant risk. While VAT compliance
is currently top of mind for Middle East
businesses, many are unaware of the
implications of the General Data Protection
Regulation. The European Union regulation
aims at strengthening and unifying data
protection for all EU citizens and is set to
come into effect by May 2018.
With just over six months till its
implementation, there is still much
confusion about the applicability of
General Data Protection Regulation
to organisations outside the EU that
process and control data of EU citizens.
Unfortunately, this places Middle East
businesses of all sizes and across diverse
verticals including cloud services, banking
and finance, healthcare, insurance and
tourism at significant risk.
Many regional organisations operate
as subcontractors of European companies,
conducting activities that include
processing and supply of goods, delivery
of services, and monitoring of customer
behaviour through social media and data
analytics. Simply stated, any company,
even one outside the EU, that is targeting
consumers in the EU, will be subject to
General Data Protection Regulation.
Abiding with General Data Protection
Regulation also includes acknowledging
documented compliance, conducting
data protection impact assessments
for risky data processing activities, and
implementing data protection by design
in operational processes and as a culture
among employees.
The General Data Protection Regulation
will enforce penalties for breaches by
Talal Wazani, Manager Strategic Security
Consulting, Help AG.
imposing fines for violations of up to 4% of
annual worldwide turnover of a company
for a data breach and up to 2% of annual
worldwide turnover for non-compliance.
In addition, the people affected by the data
breach will be entitled to sue the company
which failed to protect their data.
For years now, organisations have faced
difficulties in identifying their critical
data and where it resides throughout its
lifecycle. This is step number one not only
in General Data Protection Regulation
compliance but also in defining a cyber-
security strategy within an organisation.
The most important activity an
organisation that intends to become
General Data Protection Regulation
compliant will need to conduct is an
exhaustive inventory of the data related
to their business processes. They will
then have to either isolate EU citizens’
data from the rest or handle all data
in compliance with the General Data
Protection Regulation. It will be a real
challenge especially for multinational
companies that might now have to
consider building entirely new data
storage systems just for EU data.
With cloud computing becoming an
increasingly prevalent technology, another
very important element of becoming
compliant with General Data Protection
Regulation will be to review the data and
the protection clauses of third-part cloud
storage and service partners.
A common mistake most businesses
make with cyber security is to haphazardly
invest in trendy technical solutions
without focusing on their effective
implementation and operation according
to strategic roadmaps. A holistic approach
to data inventory, initial compliance
analysis and risk assessment, can help
businesses optimise their budgets,
focusing on the protection of critical data
and minimising related risks.
The General Data Protection
Regulation is definitely a turning point
in attitudes and an opportunity to put
businesses at the forefront of data
protection, enabling them to build trust
with customers. As the frequency of cyber-
attacks continues to rise, organisations
must focus on data protection to safeguard
their business rather than to simply
comply with frameworks such as the
General Data Protection Regulation.
Instead of viewing the regulation
as a business limitation, companies
should consider it as an opportunity that
can help them redefine the marketing
landscape. The General Data Protection
Regulation can be used by organisations
that deal with sensitive information as
a potential means to forge long-term
relationships with their customers, based
on trust and transparency.
15