European General Data Protection Regulation (GDPR) will apply to Middle East Based companies and preparation is essential. Philip Ingram from Security News Desk examines some of the issues.
An increasing number of Middle East based companies are doing business into Europe, investing in European companies, selling to European citizens and tracking the online behaviour of European citizens through their websites. All of these issues mean that Middle East based companies will have to be aware of the incoming European General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 to give it its official reference.
It comes into force on 25th May 2018 and is all about protecting individual’s data but the environment where much of that data is held or processed is the cyber environment. It is something all company Chief Executives should be taking note of and taking ownership of their data security procedures, as the potential penalties are huge. Philip Ingram form Security News Desk and SecurityMiddleEast.com looks at its potential impact for non-European organisations.
“This will impact every entity that holds or uses European personal data both inside and outside of Europe,” said Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC) to Computer Weekly magazine.
According to the legal firm Allen & Overy, “GDPR applies to data controllers and data processors outside the EU if their processing activities relate to the ordering of goods or services (even if for free) to EU data subjects, or monitoring the behaviour (within the EU) of, EU data subjects.” This apparently relates to a company having a web presence in an EU country, for example a .ge or .fr website or if the goods are offered in local currency e.g. the Euro.
The regulations also apply to Cross-Border Data Transfers. Should an organisation use online IT services, cloudbased services, remote access services or global HR databases that hold or process data on EU citizens then they too will be subject to GDPR regulation.
An example of how a company may be subject to GDPR regulation:
A UAE based business sells goods or services over the internet across the globe, including to Europe. It doesn’t have any offices or representatives outside the UAE. Some of the services offered are free and some are paid for, but knowing how difficult it is to get web visibility in Europe with a .ae web address, the company purchases and uses local top-level domains (e.g., ".ge,” ".fr"), it also allows transactions in local currency eg the Euro.
In this case under these European regulations the UAE based business will be processing the personal data of EU residents, as it is offering services into EU countries and this is clear through the use of local web addresses and local currency.
According to Alexander Blom of AIG, talking to financier worldwide, “The UAE has been reported as the fifth most targeted country in the world for cyber-crime. It is generally accepted that there are hacker organisations based in Eastern Europe and China that focus exclusively on the UAE and Saudi Arabia. Dubai in particular, as a financial centre for the region, and with a connectivity network that is the most developed in the region, is a popular target. The most common attacks are malware attacks, phishing, and social engineering though email. In the past year or two several financial institutions have also been the victim of denial of service attacks, incapacitating their websites or other connectivity. There are hundreds of attacks each day in the UAE alone.”
The issue with these attacks is that if they result in the loss of that data a company has processed about an EU citizen and the company does not report it as per GDPR regulations then they could be subject to penalties. The penalties the EU are talking about amount to 4% of global annual turnover or €20 Million, whichever is the greater.
GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Worryingly at a recent conference for Security Professionals in London out of 120 attendees less than 10% indicated they were aware of and had starting to think about the potential impact of GDPR. Jason Towse, the Managing Director for MITIE Total Security Solutions says that this is number one on his risk register. It is probable that a much smaller percentage of global companies are doing so.
Elizabeth Denham, the UK Information Commissioners is clear when she says, “It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation.” One thing is certain, GDPR is coming whether enterprises and organisations are prepared for it or not. Of note the UK retail giant Tesco, whose banking arm was hacked recently would face a fine of £1.9 billion under GDPR, according to Computing magazine!