Why GDPR could spell greater data privacy in the Middle East
Source: Thomas Dean , Author: Thomas Dean
Posted: Wed February 7, 2018 11:30 am

UAE. From May 25th of this year, a new EU directive called the General Data Protection Regulation is due to be introduced across all EU states.

As the name suggests, it’s concerned with protecting the individual data of all EU citizens, something that has been identified as a fundamental human right and, therefore, is being treated with all the seriousness this deserves.

"Cloud Security - Secure Data - Cyber Sec" (CC BY-SA 2.0) by perspec_photo88

This is also reflected in the penalties for failing to comply, which could potentially be as high as 4% of an offending organisation’s annual revenue or 20 million euros, depending on circumstances.

The kinds of breaches that the regulation covers include failing to keep customers details safe as well as making it obligatory to report any data breaches as soon as possible after they occur. It also covers a far wider range of personal information than ever before, including IP addresses, device IDs and location data. It even goes as far as protecting an individual’s genetic and biometric information.

While this is a Europe-wide initiative, the GDPR could also have major ramifications for countries in the Middle East as any business that has dealings with EU countries, or holds any data concerning EU citizens, will have to comply and will face the same sanctions if they fail to do so.

As different countries in the region have their own data protection protocols, some stricter than others, it won’t be a question of a “one size fits all” solution and each country would do well to seek some clarity on GDPR if they are to make themselves truly compliant.

There will be a number of requirements to achieve compliance including these principal ones:
-  Any organisation based in the Middle East that processes the data of EU citizens will need to designate a representative in the EU.
-  Data breaches must be notified within 72 hours of them occurring and affected individuals may also have to be notified.
-  Privacy-by-design will be the obligatory approach so, for example, before any high-risk data processing is carried out, a privacy impact assessment will have to be done and any identified risks will need to be mitigated.
-  Any organisation that carries out high volumes of processing using sensitive data will have to appoint an official Data Protection Officer.
-  People whose data is on file will need to have the right to have all records of them erased and the data holders will have to ensure that they can do this.

Doha - Qatar Skyline (CC BY-SA 2.0) by jikatu

Some countries have already taken great strides towards compliance. For example, in 2016, Qatar brought its own Data Privacy and Protection Law into force and others have also taken strides towards tightening up their rules.

For instance, the governmental body of the Dubai International Financial Centre has also recently enforced a new privacy policy, although it still falls some way short of the requirements of the GDPR.

So these next few months will certainly be a challenging time for all Middle Eastern organisations who aim to trade with Europe. But the result will hopefully be a more secure world for individuals and businesses at a time when data attacks and breaches are undoubtedly on the increase all across the globe.

Inset photo: For illustrative purposes only. (File photo)



date:Posted: December 18, 2018
UAE. The goal is the "smart factory" with cyber-physical systems capable of autonomously exchanging information, triggering actions, and controlling each other independently.
date:Posted: December 17, 2018
UAE. While e-commerce enjoys rapid growth, global attack trends indicate that the retail support sector continues to be a popular target for cybercriminals.
date:Posted: December 16, 2018
UAE. Is IoT compounding the problem?; Using a combination of AI and machine learning, IT staff can recognise, profile and connect every device accessing their network, giving each its own risk profile.