Dubai: With exactly a week for GDPR (General Data Protection Regulation) to take effect, organisations in the UAE that are aware of the law and its implications are still far from being completely compliant.
According to industry experts, less than 35 per cent of overall companies in the UAE are ready for GDPR.
Amit Roy, executive vice-president and regional head for EMEA at cybersecurity firm Paladion, said that majority of the companies in the UAE, especially the large and matured enterprises, have already started in the last six to eight months.
GDPR sets out key rights for individuals, one of which is the right to be informed of what personal data a company holds. Among other rights, GDPR gives the right over personal data and usage of personal data back to the individuals. This is a paradigm shift in the entire data management practices that organisations follow today.
“The GDPR, per say, does not distinguish enterprise or non-enterprise. There may be many companies who do not comply by May 25. These companies may have taken some steps but they may not be 100 per cent compliance. Only around 30-35 per cent of overall companies in the UAE are ready for GDPR,” he said.
Moreover, he said the challenge is for small enterprises who do not have the right resources for own self-readiness.
“There are still several industries still grabbling from the fact how it is going to really impact them and it is relevant to them. While it gives a unique opportunity to see the data in a different way and also strengthen their already existing data security controls but in the absence of not being a compliance framework but more like a law. The framework does not say how to do it but it just says what you need to do,” he said.
Barry Scott, CTO for Centrify EMEA, said that the GDPR is quite vague about specifics, and the only technologies it highlights are “encryption and pseudonymisation”.
“What it does say in many places is that companies must follow “best practice” and “the state of the art” and demonstrate “data protection by design and default”. Following a well-recognised local or international standard, or set of controls, for cybersecurity (such as ISO27001, NIST 800-53 or local variants), or achieving compliance with them, will put your company in a good position to show you’ve made a real attempt at securing your data and systems in the event a breach happens.
“The numbers of ISO 27001-certified companies in the Middle East have been increasing rapidly year-on-year, and the GDPR has quite possibly had some effect,” he said.
Implementation stage
Anoop Ravindra, IT GRC Practice Head for ProVise GRC Labs at Middle East, said that compliance to GDPR in EU and globally is low.
“Organisations in the UAE that are aware of the GDPR and the implications are still far from being completely compliant. While not more than 15 per cent of organisations are aware of GDPR, a staggering 13 to 14 per cent of them are still in the implementation stage and would need significant time to showcase full compliance,” he said.
Majority of the organisations (that do fall under the purview of GDPR) are yet to understand the applicability and initiate efforts to comply, he said.
Moreover, he said the impact of complying with GDPR is multifold and essentially calls for a change in the organisations culture around safeguarding data, it can potentially change how it markets, recruits and stores consumer data.
While the changes to safeguard personal data will enforce implementation of stronger controls within the organisations, he also said that it also challenges units within an organisation to only ask data that is required and not to ask ‘good to have’ data.
Typically, these changes would not be well accepted by most internal teams, for instance, he said the marketing teams within organisations, as marketing teams would want to gain as much data as possible (data that may be required for analysis).
“While it does have its share of challenges, these practices will also ensure organisations will better understand the storehouse of data they store, better utilise data, better secure data and a thus stronger mechanism to counter data breaches,” he said.
Penalties
Companies need to demonstrate that they have proper controls over the processing and security of personal data, including how data is used, stored, kept up-to-date, accessed, transferred and deleted.
A company must reveal the breach in 72 hours through the proper channels or penalties for non-compliance could cost organisations upwards of €20 million or four per cent of yearly worldwide revenue, whichever is higher.
“Over the next couple of months, we will start to see the first fines being handed out and major organisations will make news headlines,” Jeff Ogden, general manager, Mimecast Middle East said.
Because most organisations require significant time and investment to support GDPR-mandated processes and capabilities, he said the EU gave significant time for organisations to prepare. Given the GDPR’s sweeping scope and transformative impact, organisations would have had to review — and most likely overhaul — the way they handle personal data.
“Any organisation who has not yet begun to update their systems could find themselves in hot water when the regulation comes into effect. All UAE organisations who are sure whether they need to be compliant must remember that it includes the collection and processing of the data of any EU citizen, so this could include customers or employees,” he said.