Time to take data management seriously

Protecting a customer's data becomes more responsible than merely throwing loyalty offers and promotions.

Businesses in general now have an added responsibility to let customers know as to how their private information is being treated. With Europe taking a serious stance on implementing the General Data Protection Regulation (GDPR), data privacy has only become more sacrosanct.

Protecting a customer's data becomes more responsible than merely throwing loyalty offers, promotions and bombarding them even when they don't seek it.

While it is almost going to be a month that Europe has implemented GDPR, businesses in the UAE have clearly understood that it is not a standard but a regulation with far-reaching implications. It is not only big businesses that are in for a change but also small and medium enterprises (SMEs) that lack resources to be compliant.

In simple terms, all organisations which serve within the EU or have European nationals in their customer base are required to get BS 10012 certification, a specifically designed standard which mirrors requirements of GDPR. Since GDPR is a regulation and not a standard, it is not possible for any auditing agency to award a certification in it. Obtaining this certification ensures that an organisation is compliant with all clauses of GDPR.

Aviation, hospitality in focus
Analysts have warned that all businesses in general, with the aviation and hospitality sectors in particular, should be vigilant for GDPR implications in the coming months.

"In the UAE, the industries that are most likely to feel the GDPR impact are airlines and hospitality," said M.R. Raghu, managing director, Marmore Mena Intelligence.

He said the UAE airlines will need to be careful with EU data they receive through flight bookings, which they use for marketing purposes, as it would now come under the purview of GDPR. The hospitality industry also makes use of online booking data from EU customers for advertisements and to provide personalised services.

"Both the airlines and hospitality sectors are now required to place more emphasis on the usage of this data to avoid breaching GDPR regulations," Raghu told Khaleej Times.

Dubai hotels recorded steady growth in the first quarter of 2018 with 87 per cent average occupancy. Latest statistics from Dubai Tourism indicate that travellers from Europe to Dubai have surged in recent times. Visitors from France and Italy were up 17 per cent and 20 per cent, respectively, during the first quarter of 2018. Sweden entered the list of Dubai's top 20 source markets for the first time, delivering 42,000 visitors during the period.

"As non-compliance with GDPR involves the possibility of financial sanctions, businesses need to re-evaluate the ways in which they use customer data and modify their current practices and processes," said Raghu. He said the approach of restricting business with EU nations might save short-terms costs associated with compliance but would not be the right way to go in the long run.

"As data privacy and security are global concerns, other regions might also develop their own regulations in future. UAE companies will eventually have to comply and modify their processes sooner or later. As of now, most of the bigger firms have already prepared themselves to comply with the regulations. The bigger challenge would be for smaller firms who might lack the resources to prepare themselves," elaborated Raghu.

EU-UAE trade
Ewa Synowiec, chief advisor to the European Commission and the general directorate of trade, recently discussed the volume of international trade and investments between the EU and GCC countries in general, with the UAE in particular.

Latest data indicates that two-way trade between GCC countries and the European Union has exceeded ?143 billion in recent years. The UAE has emerged as one of the EU's largest trading partners and shares almost one third of its trade within the GCC.

The UAE was the seventh largest destination for EU products in 2017. Total trade in goods between the EU and the UAE amounted to ?52.6 billion in 2017. The most important EU exports were machinery and transport equipment (more than half), manufactured goods and chemicals. The largest share in imports from the UAE to the EU market were mineral fuels, lubricants and other related materials as well as manufactured goods.

"The EU is one of the UAE's largest trading partners. This makes it even more important for companies from the emirates to consider GDPR compliance," Joanne Fischlin, head of corporate, external and legal affairs, Microsoft Gulf, told Khaleej Times.

"With roughly 160 GDPR requirements ranging from how you collect, store and use personal information, to mandating a 72-hour notification for personal data breaches - the road to achieve this set of compliance is not going to be easy. However, technology, especially the cloud, can help accelerate the path to compliance for most organisations," she said.

Shailendra Singh, chief information security officer at Capillary Technologies, said Capillary has revised its processes to adhere to GDPR for its EU-based clients.

"Similar changes are being made in other geographies since most newer and revised regulations globally are tending to reflect privacy laws like GDPR. One of the biggest concerns about GDPR in the UAE is that since a sizeable share of customers within the UAE are likely to be European nationals, GDPR automatically applies to these clients and hence it becomes necessary to ensure adherence."

GDPR compliance
Scott Manson, cybersecurity lead for Middle East and Africa at Cisco, said the telecom, insurance, financial services, hospitality, cloud service providers and businesses using cookies or other means of tracking behaviour should be more vigilant about GDPR implications.

"Even if a Middle East business does not have an EU presence, but targets or monitors EU individuals, then it should understand the impact of the GDPR and consider how it will approach compliance," he said.

"To fully protect personal data, you need to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it - whether at rest, in use or in motion. Basically, you will need to determine whether the GDPR applies to you by conducting an audit of your business," he said.

Ali Shabdar, evangelist, Zoho Corp, said although the number of Google searches of the term GDPR has increased 100 per cent only in the past 5 months, it is rather surprising that GDPR was a relatively unknown topic in the region up until three months ago.

"All entities operating in the UAE - either locally based or a branch of an international brand - that offer services in the EU zone or even to EU residents should comply with the requirements of GDPR in processing personal data. Otherwise, they may face hefty fines," he said.

At this moment, he said lack of education and unclear direction from authorities in timely adoption of the regulation pose a threat to the operations of a large number of local businesses who are yet to comply with GDPR.

Opportunity for businesses
Shabdar said that a company of any size that does business in the EU or with EU entities and individuals, in any shape or form, and is not yet compliant with GDPR, risks being hit by lengthy inquiries and hefty fines.

"Invest in boosting your company's cybersecurity, educate your teams and seek expert advice to become GDPR-compliant as soon as possible. Also, find out where your data is being stored. Are your CRM, ERP, accounting software, e-mail campaign service, etc., GDPR-compliant? If not, ask your vendor or move data to secure GDPR-compliant services," he said.

New data compliance rules offer an opportunity for businesses to re-evaluate their processes and improve data management and customer loyalty. Rather than seeing these new regulations as challenges, view them as an opportunity to achieve competitive differentiation, as well as a way to drive greater customer confidence and trust in brands.

"The GDPR is the first of a wave of data protection legislation that will see start appearing across different regions, particularly as the data subjects - the people whose data is being collected - become more aware of what is happening in other parts of the world," Patrick Grillo, senior director, solutions marketing at Fortinet, said.

For many businesses, he said customer confidence is already being influenced by their perceived risk of conducting transactions online, or whether their personal data is at risk of being compromised or stolen. Meeting or exceeding regulatory requirements will go a long way towards assuaging those concerns.

Barry Scott, chief technology officer, EMEA, Centrify, said some companies based outside the EU are only just beginning to realise that GDPR affects them, usually because they hold EU citizens' data or are considered under the GDPR to offer goods or services to EU citizens.

Because of the large expat community in the region, there may be a knock-on effect of GDPR on GCC companies. "Even now, after May 25, with the GDPR already in effect, many organisations are still unsure whether they need to be GDPR-compliant, and what they must do," he concluded.

- sandhya@khaleejtimes.com