With just a month to go before implementation of the European Union’s General Data Protection Regulation (GDPR), Help AG has warned that the large majority of Middle East organizations are woefully unaware of its implications due to widespread lack of understanding. In particular, the cyber security firm has warned that the definition of ‘data subjects’− the people whose data is protected by the new regulation− is often misinterpreted by regional businesses, thereby leaving them ill prepared to comply with the GDPR or even exposed to business risk.
Help AG is currently working with some of the region’s largest organizations from the telecom, government, and banking and finance sectors to help them understand GDPR and achieve compliance. This work, combined with meticulous review of the framework by Help AG’s strategic consultancy division has uncovered that the GDPR will apply to all companies storing or processing data of people being in the EU. This challenges the widely held misconception that the regulation only applies to the data of EU citizens and therefore has far reaching consequences for businesses across the globe. Dr. Angelika Eksteen, Chief Strategic Officer at Help AG, attributes this lack of clear understanding to the fact that a lot of the information available from the internet or even reputed sources is either incomplete or wrong.
Explaining the impact this misinterpretation could have on Middle East businesses, she said, “This is quite simple− if a Middle East business stores or processes data of any individual who might be in the EU at some time, they should prepare for GDPR compliance. As it is virtually impossible to rule out the possibility of a person travelling to the EU at some point in time, all Middle East businesses storing or processing personal data should prepare for compliance with GDPR.”
Steps to Achieving Compliance
Key measures to complying with the GDPR are the lawful processing of personal information, affording individuals the ‘right to be forgotten’ and to access their personal data, implementing ‘privacy by design’ rather than as an afterthought when developing new products and services, registering with a data protection agency, and the appointment of a Data Protection Officer (DPO).
Dr. Eksteen said, “While fulfilling all these criteria may appear to be a daunting task, organizations need to understand the business risk of failing to meet requirements. This could mean losing or terminating business partnerships with EU-based companies, and even the possibility of heavy financial penalties and the associated reputational damage.”
As a first step, she recommends achieving compliance with long-standing industry standards that include ISO/IEC 27552, ISO/IEC 27001 and all related applicable standards, ISO/IEC 19944:2017, ISO/IEC 38505-1:2017, and ISO/IEC DIS 20889.
Depending on the risk assessment carried out within their organizations, IT teams might also need to implement security solutions such as data loss prevention (DLP), monitoring, digital forensics, and other technologies that are essential to the security needs of their market vertical.
“As the frequency of cyber-attacks continues to rise, organizations must focus on data protection to safeguard their business, rather than to simply comply with frameworks such as the GDPR. Instead of viewing the regulation as a business limitation, businesses could use it as a potential means to forge long-term relationships with their customers, based on trust and transparency,” she concluded.