One of Europe’s most talked-about regulatory exports, the EU’s General Data Protection Regulation (GDPR), became effective on 25 May, 2018. That same day, complaints that could be worth more than $8bn were filed against leading US technology companies, causing the world to sit up and take note.
The GDPR commentary can attract headlines, but not without some justification: the GDPR is at the forefront of a paradigm shift in data protection and privacy regulation. It can also apply directly to businesses in the Middle East.
The GDPR has broad extraterritorial reach, in the sense that EU data protection regulators could investigate or bring enforcement actions against businesses in the Middle East if the GDPR applies to their activities.
What is the GDPR?
The GDPR is an EU law applicable across all EU member states. It governs what businesses can and cannot do with personal data, defined as any information relating to an identified or identifiable natural person.
GDPR means companies now need to think beyond the obvious personal data, such as names and addresses, towards the much broader notion of personal data. This can include location data, internet IP addresses, and information specific to someone’s identity or characteristics, such as digital metadata and other details.
The GDPR states that the processing of personal data – essentially anything done with personal data, including its collection, use, transfer or deletion – is only lawful if and to the extent that one of several specified legal grounds applies.
It also reinforces certain general principles, such as transparency, fairness, accountability and data minimisation, that must be applied in all personal data processing activities.
It also gives individuals certain rights in respect of the processing of their personal data, such as the right to object to its use or to access the personal data held about them, and imposes a range of obligations on businesses, including IT security, cyber-incident reporting and record-keeping rules.
Finally, the GDPR establishes potentially significant financial and regulatory fines for non-compliance – the oft-cited maximum fine being the higher of €20m ($23.3m) and 4 per cent of annual worldwide turnover.
To whom does the GDPR apply?
The GDPR can apply directly to businesses based in the Middle East (and other jurisdictions outside of the EU) depending on the nature and extent of your nexus to the EU. If you have an office or employees in the EU, or if you have individuals (not corporates) who are customers in the EU, or if you monitor the behaviour of individuals located in the EU, then the GDPR could apply directly to your related activities in the Middle East.
The GDPR can also apply indirectly to businesses based in the Middle East as a result of doing business with EU-based companies. You may find your EU-based corporate counterparties sending you documents that require compliance with GDPR standards, and that regulate the transfer of personal data from within the EU to recipients located in the Middle East.
How to determine whether the GDPR applies
If you suspect that the GDPR may apply to your activities, it is important to dig deeper. It is commonplace to conduct an internal audit of the personal data being used in the business and then prepare a GDPR applicability assessment.
One significant effect of the GDPR on businesses has been the emphasis on a deeper and more granular understanding of the types, volumes and locations of data used by their organisation, the purposes for which it is used, and the IT infrastructure in which it is housed.
If whole sections of a data inventory or areas of a map are missing, it is difficult to navigate and respond to a complaint, investigation or cybersecurity incident.
The surest way to formulate an external GDPR compliance strategy is often to invest in the introspection required to truly understand what your business does and is planning to do with personal data.
Once uses of personal data that may implicate the GDPR have been identified, then an action plan can be prepared to address any compliance gaps not already covered by the organisation’s existing policies, data governance and IT security.
If the GDPR applies, what does that mean?
If (and to the extent that) the GDPR applies, a range of detailed compliance requirements have to be met. Some of these require organisational change and investment for the long-term: hiring new internal data protection expertise, staff training, system upgrades, customer notices and new vendor contracts.
Disregarding the GDPR, or assuming it does not apply, can be risky. One cybersecurity incident, a data protection complaint from an EU-based customer, an enquiry from an EU regulator and a lack of preparedness (or evidence of a wilful decision not to comply) could lead to legal action.
Conversely, in the most successful cases, where senior management have taken a longer-term view, a GDPR compliance programme can be part of a wider organisational strategy for the digital era that enhances the IT security and efficiency of the business, can be run in parallel to legacy IT systems deprecation and rationalisation, and can also in some cases improve visibility of intellectual property generation in data-intensive business units.
About the author:
Gareth Kristensen is an associate at Cleary Gottlieb Steen & Hamilton, with broad experience advising on data protection, cybersecurity and data-related regulatory developments in the financial technology sector