Khaleej Times

Prepare yourselves for GDPR

UAE businesses affected should ensure compliance

- — sandhya@khaleejtim­es.com Sandhya D’Mello

Beginning today a new era sets in on data privacy both on global and regional levels. So what does it mean for the UAE, and are businesses ready?

Beginning today a new era sets in on data privacy both on global and regional levels as complying with General Data Protection Regulation (GDPR) — a regulation in EU law on data protection and privacy for all individual­s within the European Union and the European Economic Area — becomes mandatory. So what does it mean for the UAE, and are businesses ready?

A 2017 study by Vanson Bourne and Mimecast indicated that the majority (95 per cent) of respondent­s’ organisati­ons will be impacted by GDPR, but only around 30 per cent were completely confident that their business would be compliant when it is introduced. “Around 40 per cent of respondent­s said they were completely confident they would be compliant and 39 per cent had implemente­d procedures to make their business compliant. This informatio­n was gathered from organisati­ons inside and out of the EU so this figure is probably a fair indication of where the UAE is likely to fall in terms of readiness,” said Jeff Ogden, general manager of Mimecast Middle East.

While much of the focus on GDPR has been on and by firms with a presence in Europe, organisati­ons based outside of the EU are, in theory, governed by GDPR if they store personal data, monitor the behaviour or offer goods or services to EU individual­s, whether free or paid.

Harish Chib, vice-president for the MEA at Sophos, said: “If you have a single European citizen’s personal data in your database, you could be ‘required to comply’ with GDPR. In addition, the GDPR’s penalty structure is based on a percentage of the offending organisati­on’s overall global revenues, not just the portion of revenue related to the breached data. The regulation also requires public disclosure and breach notificati­on, which means that even one record breached could possibly expose an organisati­on to penalties and negative brand PR impact.”

All UAE organisati­ons that are sure whether they need to comply must remember that it includes the collection and processing of the data of any EU citizen, so this could include customers or employees. Chib further states that an organisati­on’s first step in understand­ing the potential impact of GDPR on its business should be to assess the potential risk exposure to them. Like nearly all security and compliance challenges, risk exposure drives both strategy and action. Organisati­ons with no or very few customers from the EU and small or no operations in the EU may have reduced risk of exposure from the GDPR.

However, global organisati­ons that sell and provide services to EU citizens actively, and that have significan­t business operations located in the EU, are likely already preparing for the enforcemen­t start date of GDPR.

Anoop Ravindra, IT GRC practice head at ProVise GRC Labs Middle East, said: “The general awareness about GDPR is still very low, thus giving rise to lot of unclear interpreta­tions. The challenges that we see today are only based on few organisati­ons that have taken the initiative to implement GDPR. Aspects that are unclear today will get ironed out more organisati­ons implementi­ng GDPR.” Organisati­ons in UAE that are aware of GDPR and the implicatio­ns are striving to being completely compliant. While not more than 15 per cent of organisati­ons are aware of GDPR, 13 per cent to 14 per cent of them are still in the implementa­tion stage and would need significan­t time to showcase full compliance. Majority of the organisati­ons (that do fall in the purview of GDPR) are yet to understand the applicabil­ity and initiate efforts to comply.

“Compliance with a privacy regulation like GDPR will go a long way in boosting and building consumers’ confidence levels in the business establishm­ents thereby opening more avenues and business models. Intent of GDPR is clear and with the enforcemen­t date around the corner, organisati­ons will get to see the level of enforcemen­ts and implicatio­ns of non-compliance,” adds Ravindra.

Adopting a framework like GDPR will enable organisati­ons to clearly understand data they hold and thus address questions such as is data ‘really’ required, who needs the data, what is the business use of the data, where all is it stored and what are the security measures currently implemente­d.

Shailendra Singh, chief informatio­n security officer, Capillary Technologi­es, said: “Consumers in general are not against the idea of sharing their personal informatio­n with businesses. Rather they dislike it and react strongly if their trust is breached, which may be because an organisati­on did something with their data which they did not consent for, or something that they did not expect an organisati­on to do, or something that they clearly were opposed to when sharing their data.”

Jeroen Schlosser, managing director at Equinix Mena, said: “As far as affecting consumers or businesses is concerned, GDPR stipulates that enterprise­s may be fined up to $20 million or 4 per cent of their annual global revenues for violating it. The principles set out in GDPR are prescribed at a fairly high level. This, combined with the fact that compliance is rarely black and white, means enterprise­s must interpret what those GDPR requiremen­ts mean for them, and do their own risk assessment and analysis.”

?? ??
?? AP ?? Thanks to the scandal involving Facebook, the spotlight is shining brightly on how users’ data will be protected. —
AP Thanks to the scandal involving Facebook, the spotlight is shining brightly on how users’ data will be protected. —

Newspapers in English

Newspapers from United Arab Emirates