Assessing GDPR Compliance Readiness in the Middle EastQatar-based Privacy Practitioner Samir Pawaskar on the Essential Action Items
With the enforcement of the European Union's General Data Protection Regulation beginning on May 25, many Middle Eastern organizations are still scrambling to achieve compliance, says Qatar-based Samir Pawaskar, a cybersecurity and data privacy practitioner.
"A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries, are not yet ready," he says. "Worse, most are probably still unaware whether they must do something."
In an interview with Information Security Media Group (see edited transcript below), Pawaskar offers insights on:
- Distinguishing between information security and privacy programs;
- The importance of data governance under GDPR;
- Critical compliance steps.
Samir is a cybersecurity and privacy expert based in Qatar who has over 20 years' experience.
Sizing up the Impact
GEETHA NANDIKOTKUR: How does GDPR impact Middle East organizations? What must be done to brace up for it?
SAMIR PAWASKAR: The Middle East does a huge amount of business with the EU region. Just the trade between EU and the GCC [Gulf Cooperation Council] region for 2016 was over 138 billion Euros. There will definitely be implications and impact of GDPR on businesses in the region.
The major sectors include aviation, telecom, hospitality, finance and retail. Also, the region sources a huge workforce from across the world, including the EU as well, and is a major tourist and sports destination.
A few organizations in telecom, finance and aviation are taking steps for compliance, but a major part of the local businesses, including those trading with EU countries are not yet ready. Worse, most are probably still unaware whether they must do something.
Organizations should by now have conducted a gap assessment to ensure what their liabilities toward GDPR are, followed by a comprehensive privacy program to ensure compliance. Besides user awareness, organizations are reviewing processes and technology to understand data flows within. What's critical now is to identify what kind of personal data is collected and generated, where it gets stored and processed, who has access to it or who it's shared with.
Awareness is necessary; we have probably missed the bus, with GDPR being enforced May 25. However, it's never too late.
NANDIKOTKUR: GDPR bestows unprecedented powers on regulators to impose fines. How do you see this affecting organizations?
PAWASKAR: EU has taken a strict approach in terms of huge fines to ensure compliance. This will drive organizations to ensure effective privacy programs. However, there are many challenges, and everyone's eyes will be on the EU to see how it enforces GDPR.
For example, a privacy compliance will require that certain organizations appoint a data protection officer. However, it's recommended that large and medium organizations not mandated to appoint a DPO appoint somebody to manage and own the privacy program within the organization. We are already overwhelmed with the lack of desired cybersecurity skills in the market. Privacy being a new subject in that context, there will be a dearth of qualified professionals.
Another challenge is awareness and cultural change. For example, while sharing credit card PIN numbers with strangers, like restaurant staff, may be unthinkable in the West, it's common out here. Organizations must ensure employees are sensitized to such nuances and understand the importance of PII.
Also, they must look at some of the rights GDPR bestows on its data subjects: the right to delete, the right to know, the right to transfer, the right to be forgotten, etc. Now, the way many organizations have grown organically over the years, building diverse business systems as required, it may be challenging for them to meet the requirements.
Organizations will have to rely on tools to meet privacy requirements. Alternatively, in the long run, organizations must either re-engineer their existing systems or where possible design new systems for GDPR compliance.
Information Security vs. Privacy
PAWASKAR: There's a subtle difference between information security and privacy. Information security is built on confidentiality, integrity and availability. Confidentiality deals with securing critical or confidential information. PII, depending on the business, may or not be confidential. However, in the context of privacy, ensuring compliance requires appropriate controls to be secured. Maturity and understanding in terms of privacy and PII must be built up. I believe it's the same situation in the GCC region.
NANDIKOTKUR: How important is data governance GDPR compliance? Do most companies possess an accurate inventory of personal data?
PAWASKAR: Definitely, data governance is very important. GDPR places much importance on that - the detailed guidelines produced by GDPR for data protection officers is testimony.
I believe most organizations don't have an accurate inventory of personal data. One reason is the fluidity of the definition of PII.
NANDIKOTKUR: What security control frameworks and standards prevail in the region to manage privacy and security of data?
PAWASKAR: Qatar issued a Personal Data Protection Act in 2016. I am not aware of any other legislations in the region, although certain regulatory bodies such as QFC in Qatar and DIFC in Dubai had some provisions as part of their regulatory mandate for organizations operating within their regulatory umbrella.
NANDIKOTKUR: What critical, immediate steps are needed for compliance with GDPR?
PAWASKAR: Organizations should begin with a gap assessment to ensure their liabilities toward GDPR and local privacy laws.
They should appoint a DPO or somebody to own the privacy program within the enterprise. In case the responsibility is added to an existing role, the concerned personnel should be adequately skilled.
Organizations must develop a comprehensive user awareness program to ensure the required compliance. The should also identify and classify personal data collected or generated by the organization, where it gets stored or processed, who all have access to this data or is shared with.
For businesses not mandated to appoint a DPO, a CISO role reporting to the board may be most appropriate.
However, I recommend that medium and large organizations appoint a chief privacy officer on the lines of guidance provided for a DPO to manage the enterprise privacy program.