GDPR: Are you prepared?

This year has seen many changes to the middle east, from a rise in oil prices to the recent implementation of VAT. As Middle Eastern businesses becomes more globalized they must also be aware of the foreign laws and regulations. The General Data Protection Regulation (GDPR) is a regulation that is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations approach data privacy. The GDPR replaces the current Data Protection Directive 95/46/ec that was created on 24th October 1995 to control data processing. Many of the statutes mentioned in GDPR can be found in the current legislation, but GDPR being more detailed and precise, takes into account the challenges within the rapidly evolving digital world that give rise to privacy risks for data subjects.

This new regulation was first proposed on January 2012 and was finally approved on March 2014. The EU has adopted the regulation on April 2016 and it will be enforced from 25th May 2018. A non-compliance could cost companies heavy fines and penalties.

Importance

With technological advancements and widespread internet usage, personal data has become available everywhere. This has led to an increased need to update standards and regulations to fit today’s technology to protect privacy of personal information. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.

Objectives of General Data Protection Regulation (GDPR)

The GDPR objectives will force the companies to change their procedures and the way they protect personal data to meet the following:

• Empower individuals for greater control over their personal data: GDPR seeks to control how companies use Personally Identifiable Information — this includes a person’s name, telephone number, email address and even internet browsing habits. Companies will need an individual’s permission to use and store their personal details and will be limited to storing it for a fixed period that is bound to the purpose. The individuals would also have the right to be forgotten, meaning they can request for the deletion of their personal data at any time.
• Privacy by design: Companies must adopt suitable measures to identify the risks effectively to protect individuals’ right to privacy. This includes conducting privacy impact assessments.
• Breach notification: Data Processors must notify supervising authorities of data breach within 72 hours of being aware of the breach, while Data Controllers must send the notification directly upon being aware of a breach. The breach could include anything that will result in harming an individual’s right of privacy.
• Data protection officer: The involved companies must appoint a data protection officer to check compliance with the regulation and to seek advice from the officer to meet all requirements of the regulation.

Is your company subject to GDPR?

The penalties for GDPR non-compliance

Any company that collects or processes EU citizens’ personal information must comply with the regulation, even if they reside outside the EU. Companies that fail to comply with the GDPR requirements will be issued warnings by the supervising authority and can face heavy fines that may reach up to €20 million or 4 percent of the company’s global annual revenue, whichever is greater.

Challenges for organizations in the Middle East

All companies in the Middle East with any involvement with EU citizens’ data should be considering the potential impact of the GDPR. Such organizations will face many challenges to comply with the regulation:

• Managing and protecting personal information via auditing and reporting.
• Increasing their investment in data protection, including hiring the right talent and implementing the appropriate controls with the required infrastructure in place.
• Ensuring that processes are in place so that a breach report will be sent within 72 hours.
• Ensuring clarity on who owns the lead role of data protection and privacy within the organization.
• Isolating the EU citizens’ data by making new data storage just for EU data.
• Developing new data handling policies to align with GDPR requirements.
• Updating contracts, clauses and privacy notices.
• Adopting new security controls as per GDPR guidelines.
• Identifying and mitigating privacy risks by conducting privacy impact assessment.

Conclusion

The implementation of the GDPR will surely have a definite positive impact on organizations. This would happen by implementing a complete data privacy strategy that complies with the regulation. With the proper planning of this strategy, individuals can finally ensure that their data is well protected.