GREED, disdain, recklessness — these are just some of the words that could be used to describe how many companies behave when dealing with the personal data of their customers, users and staff members. However, the abbreviation GDPR will thankfully be known more as a safeguard against the misuse of personal data in the months to come.
GDPR, or the General Data Protection Regulation, will come into effect on May 25, 2018, and will replace the European Union’s Data Protection Act of 1998. The regulatory volume of 99 articles is a fundamental change in how data protection will be regulated within the European Union. Given the recent travails of Facebook and Cambridge Analytica, it isn’t difficult to ascertain why a change in the regulation of our data is much-needed.
The regulation defines personal data as any data that can identify a living person, either directly or indirectly to in combination with other pieces of data. Processing is defined as any action taken with the data including collecting, storing, using, sharing, transferring, retaining and deleting.
The regulation and the potential penalties is not an issue for only European entities, as the title suggests this is a global regulation and has extraterritorial reach.
Financial penalties
One of the most talked-about aspects with regards to GDPR is the financial penalties imposed by the regulation. The maximum fine that can be imposed on an organisation that is in breach of the regulation is 4pc of the organisations’ annual global turnover or 20m euros (whichever is higher).
This alone should make all global institutions sit up and take notice.
Data subject rights
The regulation ascribes a number of rights to individuals with regards to their personal data. For example, the regulation empowers them to request a copy of their personal data held by an organisation (data portability), request the deletion and removal of personal data where there is no lawful reason to process it (right to be forgotten), or block/suppress the processing where the lawfulness of processing is questionable (right to restrict) — these requests need to be acknowledged and responded to by the companies in question.
The need of the hour for Pakistan is a national data protection regulator that provides structure to data protection and regulation in the country
Most importantly the regulation ascribes the right to access any personal data being processed. This can be done through what the regulation refers to as a Subject Access Request (SAR). Organisations must respond to any SAR within a month or risk being in breach of the regulation.
Impact on Pakistan-based organisations
Pakistani banks and financial services institutions will more than likely fall into the scope of GDPR. The largest banking players in Pakistan have all got presence via overseas subsidiaries and branches across various countries in Europe.
The majority of the customers of these banks are the vast Pakistani diaspora based across Europe — information normally collected from them for banking services relating to age, employment details, addresses, etc, will all fall under the definition of personal data and the requirements of GDPR will need to be complied with (and evidenced in the case of any challenge from EU regulators).
Individuals bases in Europe who book airline tickets to Pakistan via the national air carrier would also be protected by GDPR. Again, details such as addresses, credit card details, age and gender would fall under the scope of personal data as per GDPR. Any hotels receiving customers from EU countries would be subject to the same data restrictions.
Any companies that export or import goods from the EU would be equally at risk of data breaches under GDPR — another related practical example would be any courier companies based in Pakistan that are used by customers based in the EU. The regulation would also apply to the less traditional online retailers and clothing companies that have begun to grow more common in Pakistan and offer delivery to the EU.
Need for national regulation
As it stands, there is no overarching and specific data protection regulation in Pakistan and therefore the requirements of GDPR will have to be self-policed by the industry and business sector. While this may be manageable in the short term, it may be harder to sustain in the long term.
The need of the hour for Pakistan is a national data protection regulator that provides structure to data protection and regulation in the country.
The writer is a Big Four chartered accountant with expertise in EU and Middle Eastern markets ali.azziz@gmail.com
Published in Dawn, The Business and Finance Weekly, May 7th, 2018
Dear visitor, the comments section is undergoing an overhaul and will return soon.