On 25 May 2018, the European Union passed the General Data Protection Regulation (GDPR). One year on, and privacy laws and data across the globe haven’t been the same.
“25 May marks the anniversary of Europe’s new data protection rules, the General Data Protection Regulation, also widely known as the GDPR,” Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, in a joint statement issued on the first anniversary of GDPR.
Calling it a game-changing set of rules, the duo added that GDPR has not only made Europe fit for the digital age, they have also become a global reference point.
And indeed, they became a reference point, as the US saw the emergence of CCPA (California Consumer Privacy Act), and the NYPA (New York Privacy Act), which is said to be tougher than its Californian counterpart, as well as the upcoming LGPD (General Law of Data Protection) in Brazil.
A lot of countries in the European Union, including Norway, Switzerland, Iceland, Liechtenstein, and the UK too adopted privacy laws similar to GDPR, while Asian countries like India and South Korea are working on their privacy laws.
Why is GDPR necessary?
Data is the most important commodity in today’s world. Alphabet (parent company of Google), Facebook, Amazon, Apple, and Microsoft, are all making billions by mining user data.
In March 2018, New York Times and The Guardian published articles based on whistle-blower Christopher Wylie’s information about Cambridge Analytica. The political consulting firm, which worked for Donald Trump’s 2016 US presidential election campaign, used Facebook’s API loophole to mine user data from 87 million users and their friends on the social network, without their knowledge. This data mined, using a personality profiling quiz app was then used to create personality profiles r to influence voters during the elections. This sparked a global debate over how much users can trust Facebook with their data. EU GDPR couldn’t have come at a better time! Its aim, as Ansip and Jourová highlight in the statement, has been to empower people and help them to gain more control over their personal data. The rules spell harsh penalties for companies that don’t protect their user’s privacy. Yet, Facebook isn’t extending the same protection to its 1.5 billion users in Africa, Asia, Australia, and Latin America, since they do not fall under the EU GDPR laws. That’s almost 75 per cent of Facebook users worldwide whose data is open for exploitation by firms like Cambridge Analytica.
Is a Data Breach Bad for Your Brand?
The short answer to that question is, yes.
Data breaches, phishing scams, ransomware and cyber attacks are still abundant, especially in the Middle East. In the first half of 2018, UAE saw two major data breaches with 14 million records of Dubai-based ride-hailing platform Careem’s users affected along with a smaller number of users of another airline. Cybercriminals stole data including names, email addresses, phone numbers and trip details of Careem’s customers in the Middle East, North Africa and South Asia, on January 14, 2018.
Gemalto Regional Director for Enterprise and Cybersecurity Sebastien Pavie was quoted saying that Telecommunications Regulations Authority (TRA) in the UAE reported a total of 274 cyber attacks in the first half of 2018, all of which were targeted at government, semi-government and private sector entities. “Despite an overall decline in the number of data breaches, Gemalto’s Breach Level Index data suggests security incidents are getting faster and larger in scope,” Pavie added.
Data breach costs a lot. GCC nations are reportedly spending 66 per cent more than the global average for every data breach. While the average cost worldwide of identifying and stopping a data breach is USD 2.1 million, GCC companies end up paying USD 3.5 million, according to Gartner research. The study also highlighted that organisations in the Middle East take more time, almost 260 days on average, to identify and contain a data breach, compared to the European average of 138 days.
According to a 2018 IBM study, the cost of a data breach in KSA and UAE combined is much higher – USD 5.31 million, a 7.1 per cent increase since 2017. More than monetary loss, it’s the loss of trust that affects a brand name in the Middle East. Dr Tamer Aboualy, CTO of Security Services, IBM Middle East & Africa, says that the 2018 report reveals the major cause of a data breach as malicious or criminal attacks for organisations in KSA and UAE. “The potential damage from cyber attacks extends beyond the obvious issue of businesses and consumers losing money. It can dramatically impact a company’s reputation, damaging the trust and loyalty of its customers, business partners, investors, and others.”
“The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach,” says Dr Larry Ponemon, chairman and founder of Ponemon Institute that researched IBM. “While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” Ponemon added.
Does the Middle East Need a GDPR?
The UAE’s National Electronic Security Authority (NESA) is tasked with developing and monitoring the UAE Information Assurance Standards (IAS). The IAS come under the National Information Assurance Framework (NIAF), which itself is part of the Critical Information Infrastructure Protection (CIIP) Policy.
At this time, there is no specific data protection legislation in place in the KSA. There is a freedom of information and protection of private data law which is under review by the Shura Council, a formal advisory body of KSA.
However, as we mentioned before if Facebook does not apply the EU GDPR to Asian countries, what protects the data of millions of users in the Middle East from being exploited?
The first year of GDPR enforcement has given rise to a substantial global shift towards data privacy, at the same time creating political movements that are privacy agnostic. Google was fined USD 57 million by French data protection authority under EU GDPR. In the next five years, no tech giant, let alone a smaller brand, will be able to afford a Cambridge Analytica-like data breach. It is high time user data privacy becomes the norm globally.