What is the GDPR and why should you care?
May 25th will mark the starting date for GDPR – an EU regulative on data protection that was introduced to merge EU’s approach to data regulation, making sure data protection laws are applied fairly in all EU countries.
The GDPR aims to protect EU citizens from organizations using their data irresponsibly and guarantees individual consent to be of paramount importance when sharing information.
But, GCC countries do large amount of business with the EU region, and such implications can certainly bring the impacts of GDPR to the regional business world.
Up To $23 Million Penalties For Non-GDPR-Compliance
The GDPR imposes rigid penalties on data controllers and processors for non-compliance.
Up to $23 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of data, according to GDPR regulative.
This may include upper-level fines for infringements relating to:
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organization
Is The GCC Ready?
Businesses in the Middle East that do business in Europe – and handle the data of EU citizens, need to comply with the regulation.
In fact, the new law is a must for any of the below:
- Entities that have a branch, subsidiary or single representative in the European Union
- Entities that may not have a physical presence in the EU, but offer goods or services to data subjects in the EU
- Entities which don’t have a physical presence in the EU nor offer goods or services to people in the EU, but monitor the online behavior of data subjects in the EU,
A Veritas study found a typical UAE organization reports Dark Data rates of 49 percent (against EMEA average of 54 percent) and ROT (Redundant, Obsolete, Trivial files) levels of 43 percent (EMEA averages 32 percent).
The above results in mere 8 percent (14% for the EMEA) of identifiable business-critical data.
Currently, data protection and privacy in the GCC countries is mostly governed by general legal provisions under different laws – only Qatar has enacted a dedicated national law (DPL) on data protection, in 2016.
Implementing ISO 27001: What Can Gulf Businesses Do To Avoid The Big Punch?
The EU has introduced strict guidelines that must follow complicated processes to reach compliance (see more at www.eugdpr.org).
We spoke to LEORON trainer Hasnain Rizvi, who strongly suggests implementing ISO 27001 standards to achieve compliance.
Any business that is dealing with European clients – businesses, organizations, banks etc – these are the ones that need to be compliant with the standards of GDRP by the 25th of May.
ISO Standards 27001 is among the most useful standards to implement in this case.
The good thing about this standard is that if you follow it, it will work along the narratives of the GDPR regulative.
Insurance companies, banks and any other ones that have any connection with Europe… the GDPR will especially affect them, because there is an active data stream in-between them.
The regulation itself make multiple references to certification schemes, seals, and marks. The GDPR encourages the use of standards like ISO 27001 to serve the purpose of demonstrating that the business is actively managing its data security in line with international best practice.
Rizvi explains how global GCC companies are implementing ISO 27001.
I just did a course with Star Energy Oil Tanking and their main office is in Europe, which has joint ventures in the Middle East.
It is the same case with SABIC; they also have offices in Europe as well, where following the GDPR regulation not only will help them, but also will avoid the penalties.
The ISO has a recommended alignment, the 27001 has 114 different controls broken in 14 different sections; and this can help companies to be GDPR compliant. They just need to follow the ISO standard which will help them and also open provide additional opportunities from a training perspective
ISO 27001 implementation means that your organization will be using an ISMS (information security management system): a global practice recommended by top leadership.
This will help you manage, monitor, audit and improve your organization’s information security practices in one place, consistently and cost-effectively