Audit , Governance , Legislation

GDPR Compliance in the Middle East: The Challenges

Educating Companies About the Tougher Requirements
GDPR Compliance in the Middle East: The Challenges
L-R: Samir Pawaskar, security professional; Dr Jassim Haji, Gulf Air; and Ahmed Baig, CISO Council

The many companies in the Middle East that do business in Europe - and handle European's data - now must comply with the European Union's new General Data Protection Regulation. And some security experts say that could lead to a boost in data security practices in the region.

See Also: Balancing Fraud Detection & the Consumer Banking Experience

GDPR is already in effect, but it won't be enforced until May 25, 2018. Before then, any organization with European customers must ensure that they comply with various new measures mandated by the EU law, which include mandatory data breach notifications and stronger privacy protections for consumers as well as stringent data security requirements. GDPR also gives privacy regulators stronger enforcement powers. Any organization that violates the rules could face fines of up to 4 percent of their global annual revenue or € 20 million ($21.2 million) - whichever is greater.

Qatar-based Samir Pawaskar, a security practitioner heading cybersecurity policy and standards teams, predicts the EU regulation will lead more Middle Eastern companies to implement the right governance, processes and security controls.

"The regulation would entail companies to probably re-engineer their processes and information systems to ensure compliance with GDPR unless they have an adequate privacy assessment and compliance processes in place," Pawaskar says.

Understanding the Policy Nuances

Many Middle Eastern countries already have implemented their own data protection regulations. For instance, Qatar issued a Data Privacy and Protection Law in 2016, which is closely aligned with GDPR.

But in some cases, complying with local regulations as well as GDPR could prove challenging if the requirements differ, says Ahmed Qurram Baig, president of CISO Council.

Middle Eastern countries' privacy and breach notification regulations, in general, are less strict and detailed than GDPR.

Increasing Threats Demand Breach Disclosure

The Middle East region is increasingly the target of cyberattacks, which is making improving data security more urgent. For example, in its latest "Review of the Year," Kaspersky Lab revealed the UAE was the target of at least three massive cyberattacks in 2016. And CERT-ae reports that region has been victimized by malware attacks, phishing and social engineering.

Some Middle Eastern nations have expressed their intent to ramp up enforcement of their data protection and privacy regulations, Baig notes. For instance, Dubai International Financial Centre, a government body, is enforcing a privacy policy. But because Dubai's law is less tough than GDPR, companies in the nation that do business in Europe will face the new challenge of complying with the EU regulation as well, he points out.

In fact, GDPR could serve as a catalyst for nations in the region to enforce stronger privacy protections and breach disclosure requirements, some security experts say.

"Middle East government and enterprises such as Qatar's Financial trade centre are establishing directives which mandate enterprises to share details of information security breaches to a centralized authority, which can then be shared with other enterprises to ensure that they have established controls to mitigate them, and that the breach is contained," says Bahrain-based Dr. Jassim Haji, director, information technology for Gulf Air. "However, it is not mandatory to disclose a breach at this point in time." So GDPR could lead more companies to more promptly disclose breaches, he says.

Key Compliance Challenges

In preparing for GDPR compliance, companies and the region face several key challenges, Baig says. Those include:

  • Demonstrating their ability to manage and protect personal data;
  • Increasing investment in data protection;
  • Devising ways to report breach incidents within the required 72 hours;
  • Determining who will take the lead role in data protection and privacy, whether that's executive management, the board the CISO or a data protection officer.

Security experts in the region say there's a lack of awareness among many companies about the tougher requirements of GDPR - and who must comply.

Haji says that security leaders should start awareness campaigns among the IT team and those in other departments to ensure that everyone knows their responsibilities.

"It is key to take a collaborative approach to work closely with the peers in the industry and enhance incident response mechanism on the lines recommended by CERT," he stresses.

To help prepare for GDPR compliance, Baig recommends organizations in the region adopt security controls, such as encryption and access restriction, along with ongoing monitoring of data access. Also essential, he says, is conducting a privacy impact assessment identifying and assessing privacy risks.


About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network