There has been much discussion about the impending introduction of the EU General Data Protection Regulation (GDPR) in recent months, in particular the impact on organisations not based in the EU.
Much of the discussion has been focused on the complicated details of the regulation and it’s onerous requirements for compliance. This has slowed the progress of Middle East organisations for two reasons: 1) it’s difficult to conclude on whether they fall under the scope of the GDPR; and 2) the complexity and absence of clear guidance makes the compliance task daunting in most cases.
I’d like to offer some practical thoughts to help organisations deal with the challenge without delving too far into the complexities.
First and foremost, organisations need to recognise the context of the problem — those looking at the GDPR as yet another “tick box” compliance exercise are probably looking at the issue in the wrong way. The concept of data privacy is becoming intertwined with digital transformation: organisations need more and more data to be able to improve customer and employee experiences.
People are increasingly becoming concerned about how their data is being used and protected, and so data privacy needs to be built into every digital transformation activity. The GDPR is the first of many regulations that will impact the Middle East and seek to put control of personal data back in the hands of the individual. Therefore, data privacy needs to become integral to any organisation’s way of doing business.
Secondly, I think it’s helpful to take a step back from the complexity to think about what privacy actually means and therefore what the regulations are trying to achieve. In my view, the best explanation of this came from the late Steve Jobs who said, “Privacy means people know what they are signing up for, in plain English and repeatedly”.
In essence, organisations need to be more transparent about what personal data they collect and why.
Both of these ideas are strategic in nature and that is where organisations need to start: Decide on the strategy and vision for achieving data privacy, make sure people in the organisation know what it means and why you are doing it. The rest will start to fall into place.
The third consideration is to make your approach to data privacy risk-based and continuous. Realistically, very few organisations will have the resources to tackle end-to-end compliance with regulations such as the GDPR. In fact, an organisations that are (or claim to be) compliant with all provisions could still be penalised by the regulators depending on how they handle a breach situation or if courts interpret a particular requirement in a different way to the organisation.
Compliance does not necessarily equal privacy.
Therefore, the most effective approach from a cost and compliance standpoint is to prioritise activity according to risk and in line with the spirit of data privacy. Crucially, risk in this context is from the individual data subject standpoint, not the organisation. In other words, organisations must evaluate and prioritise compliance activities according to the risk their processing poses to the privacy of the individual, not their own organisation.
Combined with that, organisations must continually evaluate changing perspectives on data privacy, including results of legal cases which would change their approach to compliance, and make the necessary adjustments.
Finally, don’t forget the supply chain. Some of the biggest risks to data privacy will come from third-party providers processing data on behalf of organisations. Appropriate due diligence should be carried out to make sure suppliers are capable of protecting the data provided to them and that they understand their obligations with respect to that data and its privacy.
Today’s reality is that it has become too difficult to understand what personal data is being collected, and what is being done with it. A new norm is emerging where the interests of individual privacy outweigh the interests of the organisation and this is being enacted in regulation.
At the same time, organisations are becoming increasingly reliant on using this data to differentiate their products and services, and to improve experiences. The two trends are incompatible when it comes to the way organisations currently operate.
Organisations that are successful at transforming to meet the requirements of data privacy will find themselves in a strong and differentiated market position. But this needs to be carried out in a practical way, and most importantly in the spirit of what is trying to be achieved.
Otherwise organisations will find themselves paralysed by the potential costs and effort required to comply.
Matthew White is Partner, Technology Risk Leader at PwC Middle East.
The writer is a partner at PwC and Head of the Digital Trust practice.