The General Data Protection Regulation (GDPR) will go into effect from Friday and none of the companies from the European Union (EU), as well as others, are not 100 per cent compliant.
The law will be enforced across all EU member states, streamlining compliance. It also applies to any organisation outside of the EU holding EU citizens’ data. That means that any company in the UAE that is holding any EU customer or operational data will have to take appropriate measures to protect the data.
Mervyn Kelly, the EMEA Marketing Director for Ciena, said that GDPR is adding pressure on organisations to protect sensitive customer and operational data.
“The cyberthreat landscape is evolving rapidly as technological innovations such as cloud computing, Internet of Things (IoT) and Artificial Intelligence (AI) significantly increase the number of potential security vulnerabilities,” he said.
GDPR’s maximum fine for a data breach involving the loss of any personal data, described as any information that can identify an individual, could be upwards of €20 million or four per cent of global revenues — enough to put even large organisations out of business, he said.
These measures should not only protect data at rest, he said, but also safeguard it in-flight as it traverses increasingly complicated infrastructure including the WAN (Wide Area Network), public, private, and/or hybrid cloud and data centre environments, all of which only increase the opportunity for data to be compromised and exploited.
“A holistic security approach is required to safeguard data and ensure GDPR compliance, and one key area is the encryption of all in-flight data from end-to-end, making it undecipherable and, ultimately, useless to hackers,” he said.
In case of any data breach of a UAE company that is holding EU data, he said the company must notify the relevant authorities within 72 hours of discovering a personal data breach, and, in serious cases, the data subjects affected by the breach must also be notified. For businesses that fail to take sufficient steps to protect their data and remain compliant with new regulations, the consequences will be severe.
Steve Plimsoll, senior partner for digital, data and analytics at EY Africa, India and the Middle East, said while it is very unlikely the world could see a cataclysmic big bang impact on Friday but the GDPR will “change the way” every company in the region manages data in the future.
He said that there are three basic impacts of the EU GDPR.
Firstly, he said the regulation itself and the requirements it places on businesses.
“To date we are seeing that most companies are underprepared and in a lot of cases not even aware of the impact and risks to their business. For example, some businesses are focusing just on customers and not the staff/recruiting impact, or checking that their core customer management (CRM) systems are compliant but not looking into what customer data is being stored by marketing with agencies or third party systems and service providers — all of which they are accountable for,” he said.
Secondly, and maybe even more important than the regulation, he said is the customer awareness, understanding, and expectation change about their personal data; how companies are using it and their rights to own and control it.
“I am seeing an ever increasing pushback from consumers to businesses that are not transparent about how they are going to use, or abuse, customer data. We have all been spam messaged in the region but now consumers are starting to demand change!
“Finally, the broader regional impact. While GDPR predominantly impacts businesses engaging with EU residents, the mere fact of its existence, linked to the changing customer expectations, is driving transformation of regional legislation on data management,” he said.
However, he said that local governments are reviewing their own current policies and some companies are beginning to adopt GDPR’s standards as the basis of all their data management no matter the customer’s location.