Many businesses in the GCC still do not comply with the EU’s General Data Protection Regulation (GDPR) and must act immediately or risk falling behind and potentially facing fines of 20 million euros or four percent of global annual turnover, according to ICAEW. The global accountancy and finance body has put together a GDPR checklist to facilitate compliance.
GDPR is a complex process that requires all large and small businesses, in all regions and in all industries, to strengthen protection of personal data of all EU citizens. If an organization based outside Europe is processing personal data related to data subjects in the EU that organization may be subject to compliance with the regulation. Companies in the GCC – and elsewhere in the world – may potentially be impacted by the GDPR if they offer products to individuals within the EU.
Michael Armstrong, ICAEW Regional Director for the Middle East, said: “Many of the GCC organisations still don’t know if GDPR affects them or if they are GDPR compliant. With the introduction of the EU’s GDPR law on 25th May 2018, organisations all over the world have had to adhere to much-heightened compliance standards with the way they handle personal data. Regional leaders and businesses outside the EU must be proactive and raise awareness of the fact that they may be affected.
“At ICAEW we are working closely with our business partners to ensure all organisations take all the necessary measures to become compliant. Regarding who will and how they will impose the fines outside the EU, the law implies that this responsibility will fall upon the supervisory authority in the EU Member State where the organisation is active. It is crucial that regional businesses are prepared and do not get caught off-guard with hefty fines and penalties. Our team has worked hard to put together a checklist for those looking to put their GDPR compliancy in place – we recommend those businesses review and follow our checklist.”
1. Appoint someone senior to oversee the process. It is not just a matter for the IT department, so it is essential that a senior member of staff such as a director, partner or senior manager takes responsibility for overseeing the process.
2. Review existing information and cyber security and update as necessary. This does not have to be an expensive revamp, it can just be a refresh tailored in line with the complexity of your organisation and IT set-up.
3. Map your data. Before you assess what has to be done you need to know what data you have as this will inform you what to do next.
4. Review contracts with clients, suppliers and employees to ensure GDPR compliance. You will need to understand your status and responsibilities with regard to both client data and firm data. At the very least, contracts will need to be updated to reflect the requirements of the GDPR.
5. Draft data protection policies and procedures. The GDPR introduces the principle of ‘accountability’ – this means all organisations must not only ensure they are compliant with GDPR but prove this too.
6. Train staff. Not all staff will need to understand the GDPR in its entirety but all staff should at least be aware that data protection is an issue for everyone.