Dubai: In 2018, the most important currency in the world is data, with companies trading in it and making billions of dollars off the back of it.
Friday will see the introduction of the most comprehensive data privacy law in history, a regulation that is intended to tackle the many nuances and pitfalls of this digital age.
As a result, Europe’s General Data Protection Regulation (GDPR) will have far-reaching consequences. As far-reaching, in fact, as the UAE.
Simon Bell, who is a cyber leader at risk management giant Marsh, says that the company predicts a large percentage of companies in the UAE will be liable under the new legislation.
“Basically any company that offers products or services in the EU or to EU residents may be affected,” said Bell, indicating how broadly it may affect local companies in the Gulf.
In terms of the types of businesses impacted, Bell said that as a global business and tourism hub, Dubai’s “aviation, hospitality and retail [companies] stand out.”
“However, many organisations may not fully appreciate that the GDPR applies to them, especially in industries that do not traditionally see themselves as data collectors. The reality, however, is that almost every business today is data-driven,” he added.
Seven years in the making, GDPR is a successor to the European Union’s 1995 Data Protection Directive, and is designed to protect people’s rights, and their personal information.
From May 25, individuals will have the power to demand that a company reveals or deletes the personal data they hold, while regulators will be able to work in concert across the EU, enforcing their decisions with serious penalties.
The maximum fine will now reach either €20 million or four per cent of the company’s global turnover, whichever is higher.
This could potentially run in to the billions of euros for some firms.
In a recent global poll of senior legal officers by KPMG, the consultancy found that over half of the respondents felt their business was not prepared for the new privacy laws.
This is reflected locally, according to Savitha Bhaskar, chief operating officer of Condo Protego, a technology provider specialising on data security.
“UAE organisations are largely not prepared for GDPR, though many are making progress,” Bhaskar said, adding that “a potentially huge proportion of UAE organisations could be affected by GDPR — from retail start-ups to multinational banks.”
So how can local companies, who experts say already fail to invest in their data security to an adequate level, catch up with Europe’s most onerous privacy regulation ever?
Bhaskar says that compliance for UAE companies will require a detailed focus on the data collected and managed by the organisation.
It will also require the “prioritisation of data management and analysis,” she said. “Organizations should work with specialised information management channel partners to first understand their data, determine which data needs to be retained, and adopt the right information management tools and solutions.”
Tarek Abbas, systems engineering director for emerging markets at Palo Alto Networks, highlighted the increasing number of cyber-attacks on companies in the Middle East, saying that it would become even more crucial now, in light of GDPR, to handle data securely.
“The Middle East is now frequently reported to be the target of cyber-attacks, which is making improving data security more urgent. Under GDPR, it will be especially important for companies to understand and comply with data protection regulations,” he said.
Abbas was optimistic however about the longer term impact of the changes: “Over time, this will undoubtedly boost data security practices and be a catalyst for positive change in relation to cybersecurity the region.”
When the EU introduces GDPR on Friday, it will be the most significant overhaul of privacy law in a generation, according to Bell, the cyber leader at Marsh.
“It establishes strict global requirements governing how organisations that do business in the EU must manage and protect personal data … One of the most noticeable knock-on effects of complying with the GDPR is an improvement in the ability to manage and respond to ever-evolving cyber risks. This can only have a positive affect for the region,” he said.