In May 2018, GDPR came into force. The EU regulations concern those companies which run business in Europe or keep the data of European citizens. It's hard to tell whether some employee of a company based in the Middle East goes to Europe one day or arrives from EU. Just one European client or one web form filled in by an EU citizen makes a company follow the new rules. This means that GDPR norms should be followed by almost every organisation located in the Middle East.
The new regulation fairly boosts awareness in the region
The European rules impose stricter requirements for personal information protection than those specified by the UAE legislation. Information security officers are sure that GDPR will assist businesses with optimisation of data protection mechanisms. Organisations will improve the processes of threat detection and incident notification and configure monitoring policies. A company will be fined if any violation occurs.
The new rules should be considered as soon as possible. Many countries of the region have their own data protection norms in place but not many states in the Middle East have as rigorous regulations as GDPR introduces. The majority of local rules are inelaborate and it's ineffective to comply with them.
World business hasn't grasped the importance of the new EU instructions yet
Companies have to admit to facing a few issues:
1 - Incomprehension of what should be changed regarding usual data handling and how.
It took quite a while to create a unified procedure of working with personal data belonging to EU citizens. It means that the previous data storage and usage system should be rearranged in accordance with the new norms. Some think that the EU rules will not affect them because they have always had everything under control, others can't even give the details on information their companies have and name the methods of obtaining and using it. The regulations will make all of them follow the new instructions since the lack of violations does not exempt from liability while presenting a report on data usage is one of the basic rules of the law.
2 - Unwillingness to provide information on corporate activities, and focus on gathering more data both go against GDPR
The fundamental GDPR directives define which information can be obtained, give users rights to manage their personal data and demand that a leak should be reported within 72 hours. The new norms emphasise the transparency of all the processes involving user data. Reluctance to give commentary on an incident due to confidentiality and security reasons is not encouraged by the EU regulations. In spring 2018 Bloomberg News revealed the real financial figures of Saudi Aramco which allegedly appeared to be higher than Apple's profit. It wasn't clear who leaked the financial report claiming that it featured correct information and if there was someone's personal data misused. Aramco Refused to respond, that is what makes the case relevant.
3 - Lack of time to get prepared
To comply with all the GDPR parameters it is necessary to be aware of all the information stored within the corporate network, all the details of local regulations which were vastly influenced by the European law, as well as know if a company acted in accordance with the norms. The readiness to comply depends on all these factors. Small businesses which never worked with loads of data and never needed to introduce corporate regulations and integrate a security system have to acknowledge the thoroughness of adaptation. Large businesses which are used to drawing out as much information as possible to be ahead of competitors are challenged to conform to GDPR.
Jaguar Land Rover might have become the first victim of the EU rules. In May 2018 the data of 647 employees containing the details on upcoming dismissals were exposed to colleagues. Some countries didn't acknowledge the significance of data regulations until GDPR was created. For example, in Lebanon the idea of data protection is still quite vague. There were no comprehensive regulations, no limits regarding data usage. Many countries have no stringent guidance on information storage. Collection and processing of personal data left unattended by the legislation cause multiple questions during adaptation.
What can happen when there are no unified instructions on personal data management:
Personal details of 14 million clients get leaked
On 14 January 2018 names, emails, phone numbers and trip information of 14 million Careem customers was compromised. In April the company announced the incident ensuring that credit card data wasn't affected while stored on another server. When the transportation network had to answer why the leakage was reported only after a few months the representatives referred to complicated and time-consuming investigations.
Personal data of 90,000 Lebanese expats managed by a third party
Ministry of Foreign Affairs and Emigrants asked Lebanese expats to register on the website to take part in the elections. Minister Sehnaoui exploited the emigrants' database and filled in their details. Nicolas Sehnaoui denied his involvement although he provided no statement on what was really happening. Due to a misaddressed email it was revealed that some people used the same phone number while registering emigrants. The authentication was implemented incorrectly, Sehnaoui avoided commenting on the incident and personal data was processed bypassing the minimum confidentiality requirements.
Hundreds of fans in front of your house
In June 2018 the address of Mohamed Salah's home in Egypt appeared to be leaked on Facebook. The football player chose to greet the people outside his house and sign some autographs.
GDPR can bring positive changes to data security, make businesses report incidents as soon as they occur and oblige to assign employees responsible for data protection.
Leading information security officers and compliance managers should take the preparatory process seriously since not all companies understand what it takes to conform to GDPR standards. The new data protection methods are to be introduced, innovative ways of access monitoring, computer expertise can be applied and DLP systems can be integrated. Now is the very moment when the exacting control of data transfer channels is a measure which must be taken to facilitate the adaptation to the new rules.
Sergey Ozhegov is CEO of SearchInform.