Rolling out General Data Protection Regulation (GDPR) compliance framework as a standard can be operationally simpler for global organisations and may also help to reduce the level of privacy risk, including in non-EU countries, said an industry expert.
“The GDPR's strict requirements on data breach handling are well known, in particular, the requirement to report personal data breaches to regulators within 72 hours of becoming aware (unless the breach is unlikely to result in a risk). Depending on the level of risk, breaches may also need to be notified to individuals,” Joanna de Fonseka, Senior Associate for Technology/Commercial at Baker McKenzie Habib Al Mulla, told TechRadar Middle East.
GDPR was introduced in May 2018 and it has had a significant impact on personal data protection.
According to law firm DLA Piper, GDPR has led to over 160,000 data breach notifications across Europe and has imposed about $126 million in fines under the GDPR regime till January for a wide range of GDPR infringements, not just for data breaches.
France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over $5m, $26.80m and $19.7m respectively.
The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 respectively.
The biggest penalty under GDPR to date was a fine of $55m imposed on Google.
Moreover, Fonseka said that many multinational companies are increasingly choosing to follow stricter data protection standards, such as the GDPR, globally.
From a UAE perspective, she said that there is currently no equivalent requirement but companies may still need to comply with the GDPR breach reporting obligations if their data processing activities are subject to the GDPR, due to its broad territorial scope.
- SIM swap fraud leaves two-factor authentication users at risk
- UAE data protection law, similar to GDPR, likely landing this year
- Russia and Iran expected to conduct disruptive cyber-attacks in Middle East
UAE data protection law soon
UAE’s regulatory authorities are expected to announce more details about its Personal Data Protection Law soon.
“Part of the strategy is that data privacy is crucial to the cyber and the UAE is regulating and drafting a data protection law. We will look at the best performing practices performed worldwide; GDPR will be one of the inputs to it. We want to make sure that whatever regulations are put, are easy to be implemented across different sectors,” Mohammad Al Zarooni, Director of Policies and Programs Department at Telecommunications Regulatory Authority (TRA) of the UAE, told TechRadar Middle East, recently.
However, Fonseka said that UAE companies who work with EU customers will still need to comply in practice even if they themselves are not directly subject to the GDPR. An EU customer will normally seek to flow down certain GDPR obligations contractually to its non-EU service providers, including in relation to breach reporting.
“There are still significant reputational advantages of responsible information handling. That might include implementing staff training programmes, negotiating robust data processing terms with vendors, and following good information security practices, including breach reporting where appropriate.
“Handling personal data responsibly can help promote trust and confidence in a company's brand - particularly for consumer-facing organisations,” she said.
However, she said that the GDPR has extra-territorial application and companies outside the EU will still need to comply if they offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU (for example, if they sell their products to EU consumers through a website targeted at the EU market).
“A UAE company could therefore still be subject to GDPR fines if its activities are caught by the GDPR and it does not comply,” she said.
“GDPR is still one of the strictest standards globally; we often find that multinationals prefer to take the GDPR as their baseline for global compliance. Operationally, this is often the simplest approach and there is likely to be a reputational advantage as well,” she said.