GDPR compliance in the Middle East: What you need to know

The European Union’s introduction last year of the General Data Protection Regulation (GDPR) is still creating challenges for companies in the Middle East, especially small and medium-size enterprises (SMEs).

Governments across the region have long been pursuing economic growth programs to boost employment and diversify GDP away from oil-and-gas production. As the private sector toils to realize this vision, SMEs have been hit hardest by the costs of national regulatory compliance in their own markets as governments react to high-profile cyberattack such as Saudi Aramco’s battle with the Shamoon virus in 2012, a similar onslaught at Qatar’s Ras Gas the same year, and other such incidents.

At the same time, Middle Eastern businesses must address GDPR. In Europe, hyperbole about the breathtaking rate of data collection businesses, coupled with worries about the control technology companies have over personal information, led to calls for regulatory action.

In a bid to address privacy concerns, the European Union introduced GDPR. Enshrined in European law since 25 May 2018, it was designed to cover data protection and privacy for all EU and EEA (European Economic Area) citizens and to place strict controls on the export of that data beyond EU borders.

Middle East businesses unprepared for GDPR

Despite a familiarity with compliance pressures, the region’s preparations for GDPR were not ideal, according to analysts. A report from Ernst & Young in February last year, just four months out from the regulation’s effective date, showed only 27% of companies in the Middle East and Africa had enacted GDPR-compliance strategies. The report cited unfamiliarity and hesitation across the globe on GDPR, with some organizations seemingly unaware of its very existence.

“There are roughly 160 GDPR requirements, ranging from how businesses collect, store and use personal information, to mandating a 72-hour notification for personal data breaches,” said Mike Yeh, assistant general counsel for corporate external and legal affairs for the Middle East and Africa at Microsoft. “Compliance can be a significant challenge for businesses. This is especially the case in the Middle East, where businesses are more prone to cyberattacks than anywhere else in the world [according to an August 2016 report from PwC].”

The provisions of GDPR require any Middle East business offering goods or services in the European Union to be compliant with the regulation’s stipulations on the processing of the personal data of EU residents. While compliance may lead to an enhancement in data security practices in the region, the implementation of EU regulations with regard to privacy notices, policies, processes and governance could prove a challenge for some firms.

GDPR poses challenges for Middle East firms

“The first challenge faced by all organizations embarking on their GDPR-compliant journey is accurate completion of the processing-activities record, which forms the backbone of compliance,” said Akshay Lamba, CIO, Deloitte Middle East.

But auditing trails such as the GDPR’s processing record are only the beginning. If a regional business holds information on EU or EEA residents, it must take best-standards approaches to cybersecurity.

GDPR, among other things, takes a “zero-tolerance approach to breach,” said Claude Schück, regional manager of Veeam Software Middle East, a Dubai-based specialist in cloud data management. “Besides the financial impact, reputational damage is what most companies fear. The perception that your house is not in order is something that [prospective customers] will not tolerate.”

GDPR’s Article 4 defines two important parties (or businesses) subject to compliance – the data controller and the data processor. In general terms, controllers hold data, and processors use it. In the past, the EU imposed fines that were limited in scope and impact. This has changed, with fines now reaching as much as 4% of annual turnover, and being applied with more granularity.

“GDPR fines will apply to both controllers and processors,” said Deloitte’s Lamba. “In addition, [the regulation] will apply to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location.”

Skills gap weighs on GDPR compliance

Businesses in the region that are still preparing for GDPR compliance continue to face challenges, with impacts that vary depending on the scale of a business and how cash-rich it is. Compliance can be costly, and challenges include the management and protection of personal data, investments in protection measures, and reporting breaches to regulators within a mandated 72-hour timeframe. Businesses must also appoint a suitable overseer for compliance, which may be impractical for smaller enterprises with shallower purses.

“[Because of the] new requirements and challenges for legal, information security and compliance functions, many organizations will require a Data Protection Officer who will have a key role in ensuring compliance,” said Lamba. “A renewed emphasis on accountability will demand proactive, robust privacy governance, requiring organizations to review how they write privacy policies, to make these easier to understand.”

In dealing with the internal skills gaps that may negate the possibility of appointing a qualified Data Protection Officer (DPO), Microsoft’s Yeh argues that cloud migration may hold an answer for such smaller-scale entities. In addition, cloud platforms can go some way toward addressing the lack of budget in providing adequate data protection.

“In the past, a lack of local, hyper-scale and large-scale data centers has limited cloud adoption in the Middle East,” Yeh said, “but, now with global service providers launching data-center regions here, we will likely see accelerated growth in adoption, which can help companies comply with both local legislation and GDPR.”

Tech isn’t everything when it comes to compliance

Businesses, however, should not be overly reliant on technology for compliance, Veeam’s Schück cautions.

“Companies can have the most sophisticated system, with all processes mapped out in detail, and still not comply,” Schück warned. “Education and a transfer of skills and knowledge [are what] companies should invest in.”

But even as many put their faith in technology to keep them compliant, these platforms and applications are themselves falling under the watchful eyes of EU regulators. The 72-hour deadline for reporting breaches, for example, will require enhanced incident-response functions within cybersecurity suites, whether on premises or in the cloud.

“The concept of ‘Privacy by Design and by Default’ has now become enshrined in law, with privacy-impact assessments expected to become commonplace across organizations over the next few years,” Lamba said. “Organizations will be expected to look more into data masking, pseudonymisation and encryption.”

Article 3 of GDPR, defines pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”.

“Enterprises need to define their processes to include steps that guard against GDPR non-compliance, which can be mapped with the correct technologies,” Schück said. SMEs will struggle, he said, since their business processes often are not as fixed or standardized as larger companies. “This leads to many forms of non-compliance and leaves SMEs exposed,” he said.

Building a compliance framework

Companies in the region will need to build their compliance around openness, as hiding behind “pages of legalese” will no longer serve them, according to Lamba.

“GDPR will retain the notion of consent as one of the conditions for lawful processing, with organizations required to obtain ‘freely given, specific, informed and unambiguous’ permission, while being able to demonstrate these criteria have been met,” Lamba said.

The region’s businesses will have to deal with technological challenges such as data access requests, data retention, the “right to be forgotten”, data minimization, breach notification and international and third-party data transfers, Lamba added.

“Every time a business uses a third party for any kind of service that might involve data processing, there should be a concrete process with clear requirements to assess these parties and their specific obligations under the regulation, as vendors or third-party processors of personal data,” Lamba said. “To make sure this is done effectively, there needs to be collaboration between legal, risk, IT and procurement, with strong steering from the DPO.”

To ensure compliance with GDPR as well as other regulations, organizations should look at their commitments holistically, within the context of all their regulatory and legal privacy obligations, Yeh said. “For instance, many of the GDPR’s required security controls to prevent, detect, and respond to vulnerabilities are similar to the controls expected by other data-protection standards, such as the ISO 27018 cloud-privacy standard,” he said.

Speed is of the essence, Veeam’s Schück said, urging the region’s businesses to “get your processes defined, play out the specifics, educate your workforce and act quickly.”