Ben Cockram, Associate Director at Taylor Root was delighted to meet with Joanne Fischlin, Head of Corporate, External and Legal Affairs for the Gulf region at Microsoft. Joanne has a private practice and in-house background and her expertise ranges across many industries including retail, manufacturing, FSI and now technology.
We interview Joanne about the upcoming General Data Protection Regulation (GDPR) and how it can impact businesses outside of the EU.
Ben Cockram: Hi Joanne. The General Data Protection Regulation (GDPR) comes into force in May 2018. Firstly, what is GDPR, and what is its purpose?
Joanne Fischlin: The GDPR is Europe’s latest framework for data protection laws. It replaces the more than 20 years old Data Protection Directive of which it preserves many of the principles, but gives residents of the European Union (EU) greater control over their personal data and imposes many new obligations on organisations that collect, handle or analyse personal data.
As a consequence, EU residents will have more control over their personal data through a set of “data subject rights” which include the right to access readily-available information in plain language about how personal data is used, have incorrect personal data deleted or corrected, have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”) and restrict or object to processing of personal data.
Organisations that collect or process personal data will therefore have to comply with six key principles:
• Transparency, fairness and lawfulness in the handling and use of personal data which means that organisations will need to be clear with individuals about how they are using personal data and will need a “lawful basis” to process such data;
• Limiting the processing to specified, explicit and legitimate purposes. Organisations will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected;
• Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose;
• Ensuring the accuracy of personal data and enabling it to be erased or rectified;
• Limiting the storage of personal data. Organisations will need to ensure they retain personal data only for as long as necessary to achieve the purposes for which the data was collected; and
• Ensuring security, integrity and confidentiality of personal data which entails that technical and organisational security measures will have to be taken to keep personal data secure.
In this context, it is important to note that the definition of personal data is broader than it was before as it includes any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles so personal data can include data such as online
identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information and much more. The term is so broad that it can even include information
that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual or data that has been pseudonymized if the pseudonym can be linked to a particular individual.
Ben: So, the GDPR is for the protection of EU residents. Does this mean this regulation is only applicable to companies based in the EU?
Joanne: The GDPR applies more broadly than might be apparent at first glance so the short answer to this, is no.
The GDPR applies to:
- processing anyone’s personal data, if the processing is done in the context of the activities of an organisation established in the EU (regardless of where the processing takes place); or
- processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to:
• the offering of goods or services to those individuals; or
• the monitoring of their behavior.
The above means that the GDPR applies to any company, government agency, non-profit, and other organisation no matter where they are located, as long as they offer goods and services to people in the EU or collect and analyse data tied to EU residents.
Where the first scenario is rather straight forward as it means that as long as your company has any type of establishment in the EU it will be overall subject to the GDPR, the second maybe warrants some examples. Let’s say you are a hospitality business in the Middle East and you want to attract tourism out of Europe. Your marketing tools might include a website available in German, payment facilities in Euro or any other feature that makes your services available to EU residents. That would trigger an automatic need for you to be GDPR compliant because you are targeting EU residents with your
offering. There are other more border line examples though where the EU Commission currently says it will look at the intent, but to be honest we don’t yet have a clear answer and might not get one until the EU further clarifies its regulation or we start seeing precedents. For instance, as a bank with
no operations in Europe and no tailormade offering for EU residents, you may think you are exempt, but even if I personally would tend to share this view, we cannot exclude that the EU Commission may have a broader view. The monitoring of behaviors can also a tricky one. For example, you’ll be caught under the GDPR if your business has no presence in Europe, but you place a tracking technology on hard drives and other devices in the EU.
Also, unlike privacy laws in some other jurisdictions, the GDPR is applicable to organisations of all sizes and all industries that fall into one of the above buckets, so no matter how small your business is, you are potentially in the remit of the GDPR.
Finally, the GDPR applies to both data controllers and processors. A data controller is in charge of the data; a data processor processes the data for the controller. A controller determines why and how to process personal data while the processor performs operations on personal data on behalf of the controller.
Under the GDPR, processors face additional duties and liability for non-compliance, or acting outside of instructions provided by the controller. Compliant processor duties include:
• Processing data only as instructed;
• Using appropriate technical and organisational measures to process personal data;
• Deleting or returning data to the controller; and
• Securing permission to engage other processors.
Ben: What impact is it likely to have on businesses in the Middle East?
Joanne: When caught under one of the criteria mentioned above, businesses in the Middle East will have to become GDPR compliant and compliance will cost time and money, but if you look at GDPR pragmatically, it is actually a tremendous business opportunity.
EU-UAE trade exceeds AED 32billon, so if you think about the fact that companies in the EU will have to look at doing business outside of Europe with GDPR compliant companies or in jurisdictions that give sufficient safeguards, becoming GDPR compliant will allow UAE companies to gain a competitive edge versus those that will have elected not to embark on the compliance journey. It will likely be first in, first served.
Also, because the EU is often viewed as a role model on privacy issues internationally, because of the importance of trade relations between the Middle East and the EU and in light of the aspirations of a lot of countries in the GCC to become thought leaders in the MEA region, I would not
be surprised if we saw more and more regional countries embrace a similar approach to GDPR. It has already started in 2016 and we understand that the UAE is working on a data legislation project so sooner than later, companies are likely going to have to up their game when it comes down to
managing personal data.
Finally, GDPR compliance will require that companies adopt policies and governance processes to ensure their staff understand how to manage and process personal data and ensure their systems are streamlined and talking to each other so that no personal data remains unmonitored.
Organisations covered by GDPR will have to report breaches and might also have to hire new members of staff, including a Data Protection Officer (DPO). If your company qualifies under the regulation to appoint a DPO, he/she will be responsible for informing employees of their compliance obligations as well as conducting the monitoring, training, and audits required by the GDPR, but most importantly your DPO will report into the Board so data privacy will become a boardroom conversation, no longer a compliance “tick the box” exercise.
Ben: As an In-House Counsel, what can be done to ensure there are no repercussions for the business as a result of the GDPR?
Joanne: As an in-house counsel or compliance executive, you are likely to be the first (and only?) one to hear about the GDPR, so your primary role will be to understand whether the GDPR applies to your organisation and raise your senior leadership’s awareness if it does. The latter might prove a challenge to itself even if the penalties associated to breaches of the GDPR will likely generate a reasonable level of attention. The timing
might also help in convincing them that the company needs to act swiftly.
The good news is that you are not alone. Your IT department will have to get onboard because stage one of GDPR compliance is to understand what data you have and where it lies. You will then have to decide who has access to it and for what purpose, how you are going to protect that data from
security breaches and how you are going to report breaches.
All of the above will likely require that in-house counsels take the driving seat until a formal compliant process is established.
Ben: What can businesses in the Middle East do to prepare for GDPR, and ensure they are well-informed well ahead of the enforcement date?
Joanne: As already said, GDPR compliance will cost time and money to most organisations, but it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
Businesses that are digitally transforming are likely to have an easier journey and for the others, as Angela Saverice-Rohan, Privacy Practice Leader at Ernst & Young was saying “At EY we believe companies should use the GDPR as an opportunity to digitally transform their business. We believe moving to the cloud is the best way to get on a path to GDPR compliance.”
That alone shows how GDPR compliance should not be looked at as a compliance constraint, but like a means to an end. Data is the new oil, so companies that understand what data they have and where that data sits will be able to leverage it to their benefit.
With that in mind, I think businesses in the Middle East need to understand how their current structure would help or hinder their ability to become compliant by the deadline and seek counselling both from legal and IT professionals on how to embrace this new evolution which, make no mistake, is only a start. The good news is, a wealth of law and consulting firms have built great capabilities in this field and will help businesses understand how this may be an opportunity to digitally transform and achieve better compliance, greater productivity, higher workplace safety or enhanced customer satisfaction for instance.
Ben: Microsoft is both a data controller and processor, can you share any insights on how you are ramping up and whether you can help organisations on their compliance journey?
Joanne: I want to first point out that processors, as I mentioned earlier, have enhanced obligations under the GDPR, so the entire industry is ramping up its capabilities to make sure that the GDPR is accounted for when customers are using or want to use our products.
At Microsoft we believe that privacy is a fundamental right and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. This priority aligns with Microsoft’s enduring commitment to trust which has made us the industry leader in privacy and security.
We committed to GDPR compliance across our cloud services by the time enforcement begins on May 25, 2018 and are standing behind our customers through contractual commitments for our cloud services, including timely security support and notifications in accordance with the GDPR
But as you said, we’re also a data controller so we’ve decided to openly share with our customers our experience in complying with complex regulations such as the GDPR so that we are prepared to help customers meet their policy, people, process, and technology goals on their journey to GDPR compliance.
Based on our experience, we recommend companies begin their journey to GDPR compliance by focusing on four key steps:
• Discover: Identify what personal data you have and where it resides;
• Manage: Govern how personal data is used and accessed;
• Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches; and
• Report: Keep required documentation, manage data requests, and provide breach notifications.
The support we provide extends to Microsoft’s Legal team. We engage with our customers directly, helping in-house counsels and compliance executives understand what GDPR is and become thought leaders in their organisation. We won’t be giving legal advice as every company will have to seek clarity from specialists such as outside counsels and consulting firms, but we’ve noticed that an initial discussion with us often helps them assess whether their business could be caught under the GDPR and who should be supporting them to make the journey to compliance as least complex as possible.
We also provide a wealth of information available to all in our Trust Center that can help every single in-house counsel, compliance executive, IT specialist and CXO learn more about GDPR. You can find the resources here.