The European Union’s new General Data Protection Regulation (GDPR), billed as the largest overhaul of online privacy, will come into effect across the bloc on 25 May. It will also impact Middle Eastern companies that handle personal data of European residents and citizens, even if they do not have a direct presence in Europe, highlighted Sage, the market leader in cloud business management solutions.
The GDPR sets out the minimum requirements for the treatment of all personal data. Personal data can be defined as any data identifying or relating to an individual, including physical appearance, biometric data, an individual’s record on a customer relationship management system, or even something as simple as website-tracking data collected via cookies.
It affects Middle East-based firms who will need to comply with the GDPR if they offer goods and services to individuals in the EU or track and monitor their behaviour. For example, if an e-commerce firm sells Middle East-made goods to European residents, it will be required to review processes and systems around managing and processing personal data.
Pieter Bensch, Executive Vice President, Africa, and the Middle East at Sage, said: “The GDPR is slated to be the benchmark of global data protection and privacy regulation, and it comes at a pertinent time given the worldwide discussion about tech giants and data-handling. Middle Eastern businesses that will be impacted must start assessing the impact of GDPR on their operations, revamp their data protection processes and systems and train their employees for GDPR-compliance because it will affect various departments across an organisation.”
Key elements of the GDPR include:
- If you collect data based on the consent of individuals, EU data protection legislation has always required this consent to be freely given, specific and informed. With the GDPR, this has to be confirmed by a statement or other clear affirmative action. Pre-ticked consent boxes on websites, or silence/inactivity on behalf of the individual after reviewing a privacy statement, will not constitute consent.
- Right to move or transfer personal data (data portability)
- Under the GDPR, individuals reserve the right to have automated personal data that they provided to you on the basis of (i) consent; or (ii) contract returned to them or sent directly to another company, even a competitor, in a structured, commonly-used and machine-readable format. For example, a playlist might be generated for a user by a music service, and should they switch to a new provider, they can take this with them.
- Proof of compliance
- Under the GDPR, organisations should keep records about processing activities, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments. With regard to keeping records of processing activities, there is an exemption for smaller companies (less than 250 employees) where the processing is unlikely to result in a risk to data subjects, the processing is not occasional, or the processing does not involve sensitive data or data relating to criminal convictions and offences personal data such as information on health, religion or sexual orientation.
- Privacy from start to finish
- Companies need to put technical and organisational measures in place throughout the lifetime of the personal data to match the privacy expectations of the individual – from the first contact with the company, up to the end of the individual’s relationship with the company.
- Mandatory breach reporting
- In the event of a data breach, companies collecting personal data must inform their data protection authority within 72 hours of becoming aware. If there is a high risk of damage to the impacted individuals, they too must be notified.
- Data Protection Officer (DPO)
- According to the GDPR, public authorities and organisations whose core activities consist of regular and systematic monitoring of individuals or the processing of sensitive personal data on a large scale should appoint a DPO. The DPO must have expert knowledge of data protection law and can either be an employee or third-party service provider. They must also be notified to a Supervisory Authority.
- A regulation with teeth
- Getting ready for the GDPR will involve continuous training, undertaking regular audits, minimising the data collected, restricting access to personal data on a need-to-know basis, and implementing appropriate technical and organisational security measures such as pseudonymization and encryption.
The penalties for non-compliance with the GDPR are up to 4 percent of annual global turnover, or €20 million (Dhs90.3 million), whichever is greater. Companies risk being fined even if there is no actual loss of data. Though it might seem hard in practice for the EU’s regulators to sanction Middle Eastern organisations with no assets in Europe, non-compliance could injure a company’s reputation and its ability to do business in the EU.
“Companies in the Middle East who are affected should not ignore the GDPR, which will come at a steep price. Instead, these firms should look to the new regulations positively. With data breaches in the Middle East are on the rise, GDPR-compliance stands to help businesses build stronger privacy frameworks, as well as enhance brand trust by letting customers know that you safeguard their personal data,” added Bensch.