As the day approaches for the update of the GDPR rules, it is important to understand the full meaning of GDPR and what this means to businesses in the Middle East.
The General Data Protection Regulation will take effect starting May 25, 2018. The regulations will apply to both private and public organisations which handle, process, and store the personal data of citizens of the EU.
What exactly is the General Data Protection Regulation?
GDPR is an updated set of rules that are being issued by the European Commission with the intention of administering the security and privacy of personal data, replacing the older Data Protection Directive from 1995.
The purpose of GDPR is to protect European citizens’ personal data and to assure them that they have complete control over it.
Consequences of Non-Compliance
The GDPR also acknowledges citizens that there are strict guidelines and compliance of the regulations, with heavy fines, up to €20,000,000, or 4% of global turnover.
Organisations suffering from a data breach may also be faced with class action lawsuits from the victims of the data breach, and this could also harm a brand’s reputation, leading to years of repair.
What are the Rules?
There are certain rules on how companies should treat the personal data of their users. These are set below:
- All data being stored by the company should be kept by consent of the user.
- Kept secure.
- The data is not retained for longer than necessary for the initial purpose.
- A copy of the owner’s personal data should be given to the individual upon their request at any time.
Checklist: Are You Prepared?
Data Protection Officer
It is important that every organisation has a Data Protection Officer that will ensure staff training for help staff become familiar with the new GDP Regulations, and what to do in times of crisis, such as notifying authorities in the case of a breach.
Internal audits are to be observant of the company and to regulate and prepare a contingency for impulsive problems.
Organisations should prepare by making sure their ITAD (IT asset disposition) demonstrates good practice of data security to lessen the possible risks in data processing.
ITAD providers should have a cyber liability insurance which is backed up by a third party damage limitation.
What does this Mean for the Middle East?
The Middle East share a lot of relations with the European Union in terms of business. This means that the GDPR rules will have a significant impact on EU businesses in the country.
The likely industries that will be affected are mainly airlines, telecom, hotel and tourism companies, banking such as finance and insurance companies and retail shops. This is due to EU citizens using these services to either travel/connect between Europe and the UAE.
Problems could arise mainly due to the fact that there is not much awareness in the UAE about the GDPR update. This will make it hard for affected businesses to adjust to these rules and if not aware, could be slapped with heavy fines and penalties for not following the new rules.
The issue is that the unaware businesses do not know if they need to comply. In order to educate companies on the new rules, awareness campaigns should be made explaining the changes and rules to relevant companies. By also adopting security controls such as encryption, this will help to minimize the possibility of a data breach incident.
Possible Challenges the UAE May Face
Due to the lack of awareness, it is most likely that the region will face the following issues while trying to prepare for the GDPR rules update:
- Companies must invest more in data protection due to rules being more strict and to prevent breaches of data.
- A plan must be made to report data breaches to users, within the required 72 hours as mentioned in the updated GDPR policies for companies.
- Assessing the company’s ability to protect user’s personal data which is given to the company.
Writer: Layla Kurdieh