Today's Paper | June 17, 2024

GDPR — an evolving global landscape of data protection and regulation

Ali Abdul Aziz Published May 7, 2018

GREED, disdain, recklessness — these are just some of the words that could be used to describe how many companies behave when dealing with the personal data of their customers, users and staff members. However, the abbreviation GDPR will thankfully be known more as a safeguard against the misuse of personal data in the months to come.

GDPR, or the General Data Protection Regulation, will come into effect on May 25, 2018, and will replace the European Union’s Data Protection Act of 1998. The regulatory volume of 99 articles is a fundamental change in how data protection will be regulated within the European Union. Given the recent travails of Facebook and Cambridge Analytica, it isn’t difficult to ascertain why a change in the regulation of our data is much-needed.

The regulation defines personal data as any data that can identify a living person, either directly or indirectly to in combination with other pieces of data. Processing is defined as any action taken with the data including collecting, storing, using, sharing, transferring, retaining and deleting.

The regulation and the potential penalties is not an issue for only European entities, as the title suggests this is a global regulation and has extraterritorial reach.

Financial penalties

One of the most talked-about aspects with regards to GDPR is the financial penalties imposed by the regulation. The maximum fine that can be imposed on an organisation that is in breach of the regulation is 4pc of the organisations’ annual global turnover or 20m euros (whichever is higher).

This alone should make all global institutions sit up and take notice.

Data subject rights

The regulation ascribes a number of rights to individuals with regards to their personal data. For example, the regulation empowers them to request a copy of their personal data held by an organisation (data portability), request the deletion and removal of personal data where there is no lawful reason to process it (right to be forgotten), or block/suppress the processing where the lawfulness of processing is questionable (right to restrict) — these requests need to be acknowledged and responded to by the companies in question.

The need of the hour for Pakistan is a national data protection regulator that provides structure to data protection and regulation in the country

Most importantly the regulation ascribes the right to access any personal data being processed. This can be done through what the regulation refers to as a Subject Access Request (SAR). Organisations must respond to any SAR within a month or risk being in breach of the regulation.

Impact on Pakistan-based organisations

Pakistani banks and financial services institutions will more than likely fall into the scope of GDPR. The largest banking players in Pakistan have all got presence via overseas subsidiaries and branches across various countries in Europe.

The majority of the customers of these banks are the vast Pakistani diaspora based across Europe — information normally collected from them for banking services relating to age, employment details, addresses, etc, will all fall under the definition of personal data and the requirements of GDPR will need to be complied with (and evidenced in the case of any challenge from EU regulators).

Individuals bases in Europe who book airline tickets to Pakistan via the national air carrier would also be protected by GDPR. Again, details such as addresses, credit card details, age and gender would fall under the scope of personal data as per GDPR. Any hotels receiving customers from EU countries would be subject to the same data restrictions.

Any companies that export or import goods from the EU would be equally at risk of data breaches under GDPR — another related practical example would be any courier companies based in Pakistan that are used by customers based in the EU. The regulation would also apply to the less traditional online retailers and clothing companies that have begun to grow more common in Pakistan and offer delivery to the EU.

Need for national regulation

As it stands, there is no overarching and specific data protection regulation in Pakistan and therefore the requirements of GDPR will have to be self-policed by the industry and business sector. While this may be manageable in the short term, it may be harder to sustain in the long term.

The need of the hour for Pakistan is a national data protection regulator that provides structure to data protection and regulation in the country.

The writer is a Big Four chartered accountant with expertise in EU and Middle Eastern markets ali.azziz@gmail.com

Published in Dawn, The Business and Finance Weekly, May 7th, 2018

Read more

On DawnNews
Dawn News English

Dear visitor, the comments section is undergoing an overhaul and will return soon.

Latest Stories

dawn images site

Most Popular

01
02
03
04
05
06
07
08
09

Must Read

Opinion

Editorial

Price bombs
17 Jun, 2024

Price bombs

THERE was a time not too long ago when the faces we see sitting in government today would cry themselves hoarse over...
Palestine’s plight
Updated 17 Jun, 2024

Palestine’s plight

While the faithful across the world are celebrating with their families, thousands of Palestinian children have either been orphaned, or themselves been killed by the Israeli aggressors.
Profiting off denied visas
17 Jun, 2024

Profiting off denied visas

IT is no secret that visa applications to the UK and Schengen countries come at a high cost. But recent published...
After the deluge
Updated 16 Jun, 2024

After the deluge

There was a lack of mental fortitude in the loss against India while against US, the team lost all control and displayed a lack of cohesion and synergy.
Fugue state
16 Jun, 2024

Fugue state

WITH its founder in jail these days, it seems nearly impossible to figure out what the PTI actually wants. On one...
Sindh budget
16 Jun, 2024

Sindh budget

SINDH’S Rs3.06tr budget for the upcoming financial year is a combination of populist interventions, attempts to...