• Home
• /
• Global business
• /
• Business

Get ready for GDPR

Beginning today a new era sets in on data privacy both on global and regional levels as complying with General Data Protection Regulation (GDPR) - a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area - becomes mandatory. So what does it mean for the UAE, and are businesses ready?
A 2017 study by Vanson Bourne and Mimecast indicated that the majority (95 per cent) of respondents' organisations will be impacted by GDPR, but only around 30 per cent were completely confident that their business would be compliant when it is introduced. "Around 40 per cent of respondents said they were completely confident they would be compliant and 39 per cent had implemented procedures to make their business compliant. This information was gathered from organisations inside and out of the EU so this figure is probably a fair indication of where the UAE is likely to fall in terms of readiness," said Jeff Ogden, general manager of Mimecast Middle East.
While much of the focus on GDPR has been on and by firms with a presence in Europe, organisations based outside of the EU are, in theory, governed by GDPR if they store personal data, monitor the behaviour or offer goods or services to EU individuals, whether free or paid.
Harish Chib, vice-president for the MEA at Sophos, said: "If you have a single European citizen's personal data in your database, you could be 'required to comply' with GDPR. In addition, the GDPR's penalty structure is based on a percentage of the offending organisation's overall global revenues, not just the portion of revenue related to the breached data. The regulation also requires public disclosure and breach notification, which means that even one record breached could possibly expose an organisation to penalties and negative brand PR impact."
All UAE organisations that are sure whether they need to comply must remember that it includes the collection and processing of the data of any EU citizen, so this could include customers or employees. Chib further states that an organisation's first step in understanding the potential impact of GDPR on its business should be to assess the potential risk exposure to them. Like nearly all security and compliance challenges, risk exposure drives both strategy and action. Organisations with no or very few customers from the EU and small or no operations in the EU may have reduced risk of exposure from the GDPR.
However, global organisations that sell and provide services to EU citizens actively, and that have significant business operations located in the EU, are likely already preparing for the enforcement start date of GDPR.
Anoop Ravindra, IT GRC practice head at ProVise GRC Labs Middle East, said: "The general awareness about GDPR is still very low, thus giving rise to lot of unclear interpretations. The challenges that we see today are only based on few organisations that have taken the initiative to implement GDPR. Aspects that are unclear today will get ironed out more organisations implementing GDPR."
Organisations in UAE that are aware of GDPR and the implications are striving to being completely compliant. While not more than 15 per cent of organisations are aware of GDPR, 13 per cent to 14 per cent of them are still in the implementation stage and would need significant time to showcase full compliance. Majority of the organisations (that do fall in the purview of GDPR) are yet to understand the applicability and initiate efforts to comply.
"Compliance with a privacy regulation like GDPR will go a long way in boosting and building consumers' confidence levels in the business establishments thereby opening more avenues and business models. Intent of GDPR is clear and with the enforcement date around the corner, organisations will get to see the level of enforcements and implications of non-compliance," adds Ravindra.
Adopting a framework like GDPR will enable organisations to clearly understand data they hold and thus address questions such as is data 'really' required, who needs the data, what is the business use of the data, where all is it stored and what are the security measures currently implemented.
Shailendra Singh, chief information security officer, Capillary Technologies, said: "Consumers in general are not against the idea of sharing their personal information with businesses. Rather they dislike it and react strongly if their trust is breached, which may be because an organisation did something with their data which they did not consent for, or something that they did not expect an organisation to do, or something that they clearly were opposed to when sharing their data."
Jeroen Schlosser, managing director at Equinix Mena, said: "As far as affecting consumers or businesses is concerned, GDPR stipulates that enterprises may be fined up to $20 million or 4 per cent of their annual global revenues for violating it. The principles set out in GDPR are prescribed at a fairly high level. This, combined with the fact that compliance is rarely black and white, means enterprises must interpret what those GDPR requirements mean for them, and do their own risk assessment and analysis."
Emirates: 'Full compliance'
Emirates airline, through a spokesperson, released a statement regarding GDPR: 'The implementation of the General Data Protection Regulation on May 25 affects both Emirates and dnata, and we have been preparing for it since August 2017 to ensure full compliance. Our GDPR compliance programme involves multiple departments across the group, and incorporates privacy principles as a central framework in every aspect of our operations and day to day activities. As a result, we are adopting GDPR as our standard for data privacy worldwide, not just with respect to our operations in the EU. We have set up a data privacy office which liaises with regulatory bodies, sets policies and guidelines, engages internal stakeholders, and coordinates training and awareness.'  - sandhya@khaleejtimes.com