What is GDPR?
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into effect. It has been dubbed as one the most evolutionary piece of regulation in the past few decades in the realm of personal data protection. Targeted at Europe, its ripples will be felt across the world.
What exactly is the General Data Protection Regulation or the GDPR as it widely known?
GDPR is a new set of rules issued by the European Commission that will govern the privacy and security of personal data and will replace the outdated Data Protection Directive from 1995.
The key objective of GDPR is to ensure that EU citizens and residents have complete control over their personal data and to ensure strict compliance of regulations by way of hefty fines and penalties.
The biggest change that will be effected by this regulation is the pan-global jurisdiction that it has. It remains to be seen though how EU commission will exercise this jurisdiction in a global landscape. Will discuss this further ahead in the article.
GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Simplistically put “GDPR will apply on all companies that process personal data of data subjects residing in EU, regardless of where the company is located”.
The GDPR text uses the word “EU subjects”, however, various articles and information that I have come across on the internet and during discussions with Privacy experts, I have seen the term being interchangeably used with “Citizens” or “Residents”.
I have used the term “Resident” and am personally convinced that the GDPR focus is on “EU Residents”, although it might seem innocuous, it completely changes the paradigm and the scope. I believe there is a lot of ambiguity on the matter and a clear, concurrent and unambiguous definition should be reached.
Secondly, I am still wondering how does EU intend to exercise its Global jurisdiction. Well, there may be situations when it can, for e.g. Let us assume a company supplies goods to EU through an established contract with a company in EU. As part of the order booking process, it collects some personally identifiable information (PII). In the case of a Data breach leading to loss or leakage of this PII, the EU commission may be able to levy fines/penalties on the company as the company may have some legal/contractual bindings within EU.
However, there could be instances where it could be difficult, for e.g. Let us assume a company based in the Far East supplies goods to EU through an online portal. As part of the order booking process, it collects some personally identifiable information (PII). In the case of a Data breach leading to loss or leakage of this PII, how would the EU commission be able to levy fines/penalties on the company, as the company may not have any legal/contractual bindings within EU? The company may just choose to ignore any fines penalties imposed on it by EU Data commissioners.
Has EU Commission done enough for the region in terms of awareness?
IMHO, I do not believe that enough has been done in the region (I speak of the Middle East / GCC) by the EU to drive awareness about the GDPR and its implications in the region. For a regulation, that has implied Extra-Territorial applicability, the onus or at least a significant responsibility for its awareness should have been on the EU Commission. They do not really intend to catch local (ME/GCC) businesses unawares. Isn’t it?
On a minimum, I expected pro-active steps at least by the EU members, to drive awareness about GDPR, at least in countries outside EU where they have significant business interests.
GCC fits the bill. Most of the EU countries have considerable business interests in the region, yet there has been no or significantly dismal awareness about the GDPR in the region.
GDPR Impact on Middle East
Middle East (and specifically GCC) does huge amount of business with the EU region, as such, there will definitely be implications and impacts of GDPR to businesses in the region.
Further, the region is a major aviation zone transiting passengers across the world and an affordable tourist destination. As such, a huge number of EU residents use these airlines to travel across the world and to vacation in the sun soaked beaches and deserts.
Other sectors that may be impacted include Telecom, Leisure (Hotel, sightseeing / tour companies etc.), Finance (Banking and Insurance) and Retail.
In addition, the region survives by sourcing a huge work force from across the world including the EU.
A recurring question amongst the local businesses that employ EU workforce is, if they are impacted by GDPR. I would like to reiterate about the ambiguity I mentioned earlier on in the article. If the subject were EU Citizen, then the answer would be definitely yes. However, if the subject is EU resident, then the employee ceases to be a resident of EU if working on a permanent basis, hence the answer would be no.
Yet, there are minor caveats here as well; the so-called EU citizen (employee) would become a resident of the local country only after staying continuously for six months! Further, there would still be a liability for consultants and temporary work force that work on short term projects.
Unless, these issues are clarified there remains a risk (albeit a small) where in future, local businesses may desist from employing EU workforce as a Risk mitigation strategy.
In addition, the question remains how EU commission would be able to penalize such local businesses in case of a breach of information (that includes EU resident’s PII).
Is the region ready?
Although I personally know of a few organizations in the telecom, finance and aviation domain that are taking steps to comply with GDPR, a major part of the local businesses including those involved in trading with EU countries are not yet ready. Worse, most of them are probably still not aware if they need to do something.
A huge awareness is necessary and probably we have already missed the bus, considering that GDPR is going to be effective on May 25. However, it is never too late.
Disclaimer: The opinions expressed in the article are solely my personal views and do not in any way represent those of my organization.