Are you ready for regulatory compliance in the Middle East?

The Middle East is in growth mode, and while digital transformation offers a path to economic development, enterprises that are trying to expand in the region are stumbling over regulatory hurdles.

When moving to the cloud – a common starting point for businesses that go digital – Middle East organizations have traditionally been unable to find top-tier providers whose infrastructure is locally, or even regionally, based. Although this is starting to change, with AWS, Microsoft and Google all opening data centers in the GCC, for example, companies still face challenges when trying to comply with local, regional and international rules.  

The issue casts a shadow on efforts to promote growth. For some Middle Eastern countries, industrial expansion goes hand in hand with efforts to play a bigger geopolitical role on the world stage. Other nations are seeking to mitigate their petrochemical dependency by diversifying their economies.

Regulatory compliance, however, poses a particular challenge.

Fragmentation creates a barrier to compliance

“Across the Gulf Cooperation Council, there is no overarching law that deals with data protection, and one risk for companies is fragmentation,” said Mike Yeh, a Microsoft lawyer and government affairs lead for the Middle East and Africa.

Many of the region’s local regulations bear similarities to the European Union’s General Data Privacy Regulation. For example, the law Concerning Personal Data Protection, or DPL, issued in 2016 by Qatar requires organizations in the country to ensure privacy protections are integrated into the design of new products and services. Companies are expected to revemp systems and processes if necessary, regardless of cost.

Fines for non-compliance of DPL can reach up to US$1.35 million, Yeh noted, so businesses cannot afford to forgo overhauls.

Making compliance issues even more complicated for enterprises trying to avoid such fines, fragmentation of data protection rules also exists at the national level.

In the UAE, for example, there is no formal data-protection law at the federal level. Article 379 of the UAE Penal Code prohibits the disclosing of “secrets” without consent but is unclear as to whether this pertains to personal information such as date of birth. Instead of national-level regulations, so-called commercial Free Zones, such as Dubai International Financial Centre (DIFC), Abu Dhabi Global Market and Dubai Healthcare City, operate with a degree of autonomy and have their own data-protection laws.

Finance, energy make the Middle East a target

Meanwhile, the scale of the region’s financial and energy sectors serves as a magnet for malicious actors, said Talal Wazani, head of strategic security consulting at Help AG, a systems integration company specializing in cybersecurity.

The World Economic Forum Global Risk Report 2019 warns of the increased likelihood of cyberattacks in the Gulf, and especially in Saudi Arabia and the UAE, Wazani noted. “This is evident in the past waves of attacks against Saudi Arabia in 2012 and 2017, and has ensured that cybersecurity compliance makes it to the top of the agendas of government agencies in both countries, with the UAE launching its National Cybersecurity Strategy and Saudi Arabia envisioning a secure and resilient digital infrastructure as part of Saudi Vision 2030 [the kingdom’s national economic diversification program],” Wazani said.

Wazani is one of many specialists who see the effort to satisfy regulations and standards as necessary short-term burdens that bleed finances, encumber human resources and introduce operational overheads. While compliance is an ongoing challenge, much of the costs involves initial restructuring to allow the introduction of baseline infrastructures and practices that satisfy regulators. Once this first-phase headache is behind them, Wazani believes risk exposure will have been alleviated for compliant organizations, and that much-needed investors will be more easily enticed to the region.

But for now, private-sector organizations across the Middle East are undertaking sweeping changes to remain compliant, according to Akshay Lamba, CIO of Deloitte Middle East. 

“The influx of regulatory initiatives has forced many firms to reconsider their business models, in terms of new restrictions as much as new opportunities,” Lamba said.

Regulatory standards get lost in translation

Middle East businesses often must interpret international standards in different ways, adapting them to suit their own unique markets where offerings, customer demands, corporate culture and market maturity may vary wildly from those in Europe and the US, Lamba said.

As businesses grow, they must meet the requirements of the jurisdiction in which they plan to expand.  The more complex the group becomes, the more complex and costly regulatory compliance becomes. “In the Middle East, regulatory agendas, new legislation and initiatives vary according to the priorities of each country, with both implementation dates as well as some key details differing between jurisdictions,” Lamba said.

And when implementing any sweeping change, it falls upon people on the ground to get the job done, which generates another obstacle for many regional entities. “Skills remain the main challenge for organizations that are looking to comply with the numerous requirements coming out of cybersecurity regulations and standards,” Help AG’s Wazani points out.

Wazani cited a global study conducted by the Information System Security Association (ISSA) that claims cybersecurity skills shortages impact more than 70% of organizations in the form of increased workloads on current staff.

Skills gap exacerbates security woes

The skills gap – a major issue for many regional firms –  is not the only challenge that faces enterprises struggling to meet compliance regulations. The lack of mature risk-assessment methodologies and cost-benefit analysis can lead to delays in compliance as well as related financial problems, Wazani said.

In addition, businesses in the Middle East, like elsewhere, will have to implement new technology – such as cloud computing, blockchain and biometrics — to deal with new threats.

These issues have led some organizations to outsource technology roles, including that of CISO, and embrace the managed-services model.

Small and medium-size enterprises (SMEs) – which generate significant majorities of GDP, even in many non-oil-rich Middle Eastern states – will find it particularly difficult to meet compliance-related challenges and are, according to Microsoft’s Yeh, more likely than most enterprises to turn to outsourcing.

“Smaller businesses typically have less resources to devote to IT, and so the affordability and scalability of the cloud becomes invaluable to regulatory compliance,” Yeh said.

In order to serve such companies, AWS, Google and Microsoft, for example, have all claimed to be spending at least $1 billion annually on cybersecurity and related services for their clouds.

In any case, enterprises should make sure employees receive awareness training to “reduce the human risk factor”, Wazani said, urging people to think before clicking on links in emails and take care when connecting storage devices like thumb-drives to networked machines. He also suggested automation and outsourcing.

“One of the up-and-coming technologies in this region is GRC [governance, risk and compliance] automation, as it enables organizations to overcome the resources shortage by streamlining most of the recurring compliance activities and distributing the workload throughout the organization,” Wazani said

Peeking into the regulatory future

Ultimately, compliance is an issue that takes continual assessment and adjustment.

“Regulatory frameworks require constant enhancements to stay effective, particularly as the markets they regulate evolve,” Deloitte’s Lamba said. “This includes identifying new regulatory requirements for new market entrants, and ensuring existing regulations are clear and enforceable.”

A holistic, platform-oriented approach to security can streamline such efforts. Rather than tracking the controls required by individual regulations on a case-by-case basis, enterprises can identify an overall set of controls and capabilities to meet these requirements, Microsoft’s Yeh suggested. “Taking a platform view that leverages a strong compliance foundation can help businesses ensure they comply with [all] requirements,” he said.

To help meet national goals for economic growth, the regulators can also play a part in minimizing the compliance burden on enterprises. “Regulators need to work hand in hand with industry leaders to define practical minimum requirements that ensure industry standards and best practices are in place without hindering business growth,” Wazani said. “This can be accomplished by engaging industry experts to assist governments in identifying threats in their respective areas and suggesting requirements to reduce the likelihood and impact of such threats.”