With just over a month to go before the new EU General Data Protection Regulation (GDPR), the most important data privacy regulation change in recent years, comes into force, it’s vital companies in the Arabian Gulf pay attention to it.
It’s no exaggeration to say that the GDPR will have a profound impact on every organization that relies on the storage and processing of the personal data of EU citizens – and that means EU citizens wherever they reside, and organizations that deal with European citizens, regardless of the organization’s home base.
The Game Changer:
Designed to shift control of personal data back to the data owner, the regulation includes amongst its list of subject data rights, the right to have personal data erased. GDPR will enable individuals to question companies about the extent of personally identifiable data they hold, and companies will no longer have the right to charge for this service (apart from in extenuating circumstances). The data in question could be usernames, location data, online identifiers, such as IP address or cookies, or passwords, and with GDPR the definition of sensitive personal data has expanded to include genetic and biometric identity.
GDPR therefore will usher in significant changes to how companies manage and process personal data, to privacy compliance programs, as well as IT systems and infrastructure.
May 25, 2018 is the date that penalties for noncompliance come into effect, with GDPR fines of up to 4% of annual global revenue or 20 million euros — whichever is greater.
Will You be Impacted?
The implementation particularly applies to GCC organizations that have a branch, subsidiary or single representative within the European Union; those that may not be physically present in the EU, but which offer goods or services to EU-based data subjects and even those who monitor the on the online behavior of EU data subjects.
While many key GDPR concepts and principles are virtually the same as those in the current Data Protection Act, there are new elements and significant enhancements which mean that businesses will have to do some things differently. It’s vital you plan your compliance approach now and get the ‘buy in’ of your key people because you may have to implement new procedures to meet transparency and individuals’ rights provisions.
Most significantly, GDPR places greater emphasis on the data documentation that must now be kept to prove accountability, so you may need to review your governance approach and how you manage data protection, which could include reviewing existing contracts and arrangements you have for data sharing.
The Four Keys:
Here are four key issues you need to keep front of mind when developing your GDPR approach:
1. Location: you’ll need to create an inventory of personal data. GDPR requires organizations to be able to identify every reference to any individual across all systems.
2. Governance: You’ll need to manage personal data access and use. Establish a clear view of existing data and define the new data processing activities required.
3. Security: You’ll need to protect personal data against vulnerabilities and breach. Business will need to be able to prevent, detect and respond to any threat of data being compromised.
4. Reporting: You’ll need to have a full reporting function to account for data requests, breaches and accountability. GDPR requires higher standards of transparency, accountability and documentation than most companies will have previously encountered.
So how can Gulf companies ensure they are compliant?
Keep abreast of the latest Microsoft Office 365 updates which, apart from helping to improve your communication, collaboration, creativity and productivity, will also assist in preparing you for GDPR implementation. And take note, if any data is hosted off-premises by a third-party, a business must ensure that its cloud service provider can deliver the relevant level of security, produce logs in the event of an incident, and produce them as and when required. You should be asking yourself a simple question: “Can our supplier meet the GDPR criteria?”
And, while GDPR doesn’t prescribe specific data protection technologies, but rather processes that organizations should take, businesses should be talking NOW to their IT providers about core data security solutions.
To help you get ready for GDPR, here’s 12 key preparation steps
Spread the news:
Make sure your key people know about GDPR and its likely impact.
Document the personal data you already hold, where it came from and with whom you share it. You may need to organize an information audit.
Review your current privacy notices and plan for any necessary changes in time for GDPR implementation.
Be on the Rights Side
Check your procedures cover all the rights individuals will have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests
Update your procedures and plan how you will handle requests within the required timescales.
Look at the types of data processing you carry out, identify your legal basis for carrying it out and document it.
Review how you seek, obtain and record consent and whether you need to make any changes.
Check the Kids’ Stuff
Start putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection & Reporting
Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements. Also determine which data protection supervisory authority you come under.
Help Is At Hand:
Meet Your Office 365 Compliance Manager:
This capability enables administrators to evaluate and manage risks and schedule tasks in order of priority for compliance purposes. Azure Information Protection, part of the comprehensive Azure set of cloud services that developers and IT professionals use to build, deploy and manage applications through Microsoft’s global data centre network, also now has a tool which allows users to automatically find, label and protect sensitive data across cloud services, platforms, and on-premises.
Many of the new GDPR requirements can also be met through bundled services, based on Office 365, which have been tailored by Cobweb to enable companies to meet the new VAT compliance requirements in Saudi Arabia and the UAE. These bundles can be leveraged with the new Office 365 upgrades to ensure you can meet the important GDPR deadline. You’ll get the very highest level of data reporting and security tools all delivered via the cloud.