EU General Data Protection Regulation And What Businesses In Pakistan Need To Know
Nothing has impacted businesses more in the last few decades than how the information technology (IT) infrastructure has come to be relied upon by a host of different enterprises to conduct business. Not only have already established businesses come to rely on innovative technologies to streamline their businesses but new businesses based solely on new technologies have also emerged.
Uber, AirBnB, Facebook, Alibaba and Netflix are often cited as pioneers and leaders of their industries and which maintain non-traditional business models. Uber, for example, is hailed as the world’s largest taxi company which does not own its own cars. The pace of development has been almost too quick for regulators to keep up with. It is indeed this disparity which has been causing Uber to lose its foothold in London.
One aspect of using such information technology which has all too often adversely affected consumers the most is data security. Breaches in data security have seen the release of massive amounts of personal information of a business’s clients. Unfortunately, breaches in data security are not limited to certain types of businesses. Everyone is vulnerable.
Recently Uber revealed that it paid a $100,000 ransom to keep secret a breach which potentially exposed the personal information of 57 million Uber customers and drivers. Last year, Equifax lost personal records of 143 million of its members. Even Shaadi.com has been a victim of an attack and lost personal details of over 2 million of its members.
In an effort to bring some form of consistency in standards, the European Union’s (EU) General Data Protection Regulation (GDPR) is being introduced which is expected to become effective on May 25, 2018.
The Regulation applies to all enterprises that handle personal data of EU citizens in the context of selling goods or services. Not only does this bring all EU based enterprises within its ambit but the standards also apply to all businesses outside Europe who hold such data on EU citizens.
So whether it’s a data processor in Pakistan or a local lawyer in London, everyone must comply with the same standards wherever personal data of EU citizens is being handled. Failure to comply with the new regulations attracts hefty penalties: €20 Million or 4% of the company’s annual global turnover.
The GDPR will be directly enforceable in all EU jurisdictions from May 25th, 2018 and will replace the previous EU Data Protection Directive (95/46/EC).
The principal provisions of the GDPR include the following:
- All consent for processing personal data must be express, freely given, specific, informed and unambiguous.
- Breach reporting. All data breaches must be reported within 72 hours to the relevant Data Protection Authority. The affected individuals must also be informed without undue delay.
- Rights of the individual. Individuals whose data is held are given the right of access to all information held concerning them; the right of data portability, to have their data delivered; and the right to be forgotten which requires all personal data held regarding the individual to be deleted.
- Privacy by design. The requirement to embed appropriate controls within data systems to consider privacy of data as the “default”.
- Data Protection Officer. Most companies that process personal data on a large scale will be required to appoint a Data Protection Officer and will need to undertake an annual Data Privacy Risk Assessment as part of their due diligence compliance monitoring.
- Cross-border transfers. All cross-border transfers have to fit within a specific set of legitimate bases for such transfers. These bases are more limited than the “fair and lawful” bases merely for processing.
Companies based in Pakistan should review the GDPR and begin preparing for compliance with the new legal framework if they have some form of an establishment within the EU or handle and process personal data of EU residents in the following contexts:
- Offering goods or services to individuals in the EU.
- Monitoring the behaviour of individuals that occurs in the EU. This includes services such as internet tracking and profiling.
Failure to comply can give rise to significant liabilities including hefty fines. There are two broad categories of fines:
- For the most serious infringements, €20 Million or 4% of the company’s annual global turnover.
- For low tier infringements, €10,000 or 2% of the company’s annual global turnover.
Given the severity of potential fines, Pakistani businesses should immediately conduct a compliance assessment of their current policies and procedures to identify the gaps in their practices where potential liability could arise under the GDPR.
Consultations with legal counsels can help assess and navigate the GDPR regime and enable businesses to implement viable strategies to comply with the new GDPR standards. Failure to take immediate action risks exposing Pakistani businesses to potentially huge fines and loss of business in Europe.
The views expressed in this article are those of the author and do not necessarily represent the views of CourtingTheLaw.com or any organization with which he might be associated.