GDPR: Impact on the Middle East
Organisations with customers in the EU -however briefly - need to comply with new data regulations
GDPR legislation will have an impact on companies in the Middle East, but enforcement actions are unlikely to happen any time soon, according to Giampiero Nanni, EMEA Government Affairs at Symantec.
The new European privacy laws, which came into effect on Friday, have caused a flurry of activity from Europe-based organisations which now have to comply with a strict set of regulations on how they manage data on their customers.
So far, this has mainly manifested in organisations refreshing their privacy policies and mailing lists, but in future it will require company-wide data management and reporting, and a much greater accountability to customers over how data is kept and used.
The GDPR legislation is "based on highly aspirational and ethical objectives", Nanni said, with a focus on the rights of the individual to privacy. However, the impact on organisations, including those outside of the EU, is considerable, with fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater, for breaching the rules. Companies could also face suspension from being able to process customer data.
A major misconception among organisations is that GDPR only applies to European companies, but Nanni points out that this is not the case - any organisation holding data on a European citizen, or on any visitor to the EU, is still governed by the same strict regulations.
"All non-EU organization that targets individuals who are in the EU will have to comply with GDPR. This means that any individual, regardless of their nationality, that travels to the EU member states is automatically covered under the law, should their data be collected and processed. Many Middle Eastern organisations operate internationally and have customers who are in the EU," he said.
"The GDPR puts strict new requirements on how organisations collect and use the personal data of those in the EU, whether they reside there or visit, and it also applies to any data of customers in the EU even if processed outside of the EU member states. Regardless of where a business is located, any organisation that collects or processes the data of those who have a physical presence in the EU - regardless of how brief it may be, and whether connected to a payment - will have to comply. A company is expected to provide the same level of protection to relevant personal data that are covered by the GDPR, irrespective of where that data resides or where it gets transferred."
Nanni said that it will be difficult for the EU to enforce GDPR against smaller companies based outside the EU. He also said it is likely that the full impact of the legislation won't be realised until the EU makes a test case, which could come against a major player in technology as a means of making an example of a company breaking the law.
This level of enforcement is not the only risk to companies which fail to comply with GDPR however. The legislation include provision for individuals to claim compensation from companies that breach their personal data. This, coupled with a general increased awareness of data privacy rights, will mean that consumers are likely to expect companies to show greater regard for data privacy and protection.
"Companies should be aware about other repercussions as well. A data breach, as we've seen in recent headlines, can gravely or irrevocably damage a company's reputation. Ultimately, customers want to have privacy. They know their rights, they are more conscious of what can happen, they will want to exercise those rights," he said.
While GDPR adoption is a costly and time-consuming process, and Nanni said that many organisations in the EU are running behind schedule, he believes that adherence to the principles will be of benefit to companies in terms of better security stance and a better understanding of the data that they hold. He also said that GDPR is likely to become ‘industry standard' for organisations, no matter where they are.
"Due to its thoroughness and the fact that it is based on highly aspirational and ethical objectives, the GDPR is likely to become a global benchmark. Other countries outside of the EU, like Japan, Australia and India, are already looking at developing similar approaches. Therefore, it is likely that markets like the GCC, will consider introducing a similar legislation to guarantee the rights to privacy to its citizens against invasive commercial practices, and clamp-down on damaging data trafficking," he said.