DataGrail recently interviewed Gordon Wade, Data Privacy and Protection Lawyer at PwC Middle East to bring you insights from a leading legal professional in the field of data privacy.
DG: What is your favorite part about working in the legal space, specifically covering data privacy practices and risk?
GW: The proliferation of data privacy laws globally and public awareness surrounding the impact of data processing activities are creating exciting new business challenges and opportunities for my clients. For me, I firmly believe now is the time to be a data privacy lawyer.
When practicing as a lawyer in Ireland, I advised clients before the final text of the GDPR was published in 2016 and after it became law in 2018. Whilst the EU is leading the charge on data privacy with the GDPR, having moved to the Middle East at the end of 2018, I’m deploying my particular specialism in a market right on the cusp of huge changes in privacy and data protection.
It’s these changes and the challenges that they pose for my clients (who have been operating in a region with, historically, no specific data privacy and protection laws at all), that I love dealing with every day. I’m passionate about data privacy, and while I would not go so far as to call myself a human rights lawyer, I do help my clients ensure that they respect and vindicate their employee’s and customer’s fundamental human rights to data protection.
There’s still so much uncertainty and lack of awareness regarding data privacy in this region. It’s very much in its infancy — which gives me the opportunity to educate my clients about this fascinating topic, why it’s important, and how they can derive so many benefits from a robust corporate culture of privacy.
The Middle East has begun a relentless move towards a region in which bespoke laws and regulations will tightly restrict the ways in which organizations can use personal data, and for me, having the opportunity to be right in the middle of all of this is fantastic.
DG: What are the biggest differences / challenges you see in Middle Eastern privacy programs vs those in the EU?
GW: Data privacy is still a relatively new concept in the Middle East. Whilst certain jurisdictions like the Free Zones (DIFC, ADGM, QFC) and Qatar have had data privacy laws on the books for a few years, generally speaking, comprehensive federal laws don’t exist. This means that overall market awareness and understanding of data protection principles are low, so educating clients on basic principles (like what is personal data) is still a huge part of what I do. Therefore, getting buy-in from the C-Suite can be challenging and requires privacy professionals to be at the top of their game with regards to the strategic risks their client’s sectors face and fully up to speed with global developments.
News of GDPR-related fines, such as the French CNIL €50m fine imposed on Google, certainly make the news in the Middle East, but the task for us is to guide clients through the rationale for these decisions and how to embed change into the organization to address this. Even in jurisdictions with data privacy laws, there are no regulators set up, and this absence of a national data protection supervisory authority means that there’s no effective supervision, enforcement or guidance in respect to data subject rights or data protection principles.
In terms of privacy programs, the region is about two years behind the EU, but the distance is closing fast. Bahrain’s Personal Data Protection Law takes effect August 1st of this year; Saudi Arabia’s draft data protection law is well-advanced along the legislative process; we understand the UAE has a draft law modeled largely on the GDPR that’s currently circulating internally amongst certain UAE Government Departments; and Oman has had a draft data protection law in the works since 2017.
DG: With rising consumer privacy awareness, how can businesses best inform users that their data is secure and private?
GW: I always tell clients that fostering trust and confidence in your customers about how you use and protect their personal data isn’t rocket science, and there’s no secret formula. It’s about getting the basic principles right — being open, honest, clear, transparent, and accountable. One of the largest issues with the Cambridge Analytica scandal was that people simply had no idea what was really going on with respect to their personal data.
I would sum up how to best inform users with these 6 points:
- Make it clear to consumers what data you have, where it’s stored, and explain the protocols in place to protect it.
- Implement customer-facing technical measures to ensure data access is strictly controlled (such as multi-factor password authentication and strong encryption methods).
- Provide consumers with the information and options they want, especially for those websites and apps that have access to a lot of personal information. Website FAQs addressing security concerns, easy to opt-out mechanisms, and use of end-to-end encryption will help reassure users that their data and communications are secured.
- Be transparent, providing clear information about business actions and positions on data privacy as well as proactively updating consumers on your privacy practices are important to instituting trust. Communicate with the public what measures your business is taking to protect their information.
- Invest in employees with security backgrounds and certifications and pay for independent security audits by accredited organizations that can be shared with customers. All organizations must be good data stewards but often words alone aren’t enough to prove to consumers that their data is protected.
DG: What is the biggest challenge your clients typically face when it comes to the implementation of privacy programs? Does this vary or is it fairly consistent across different parts of the world?
GW: I think the challenges faced by organizations when implementing a data privacy program tend to differ little around the world (although certain sectors can be more onerous than others). It’s difficult to isolate a “biggest of all” challenge, as there can be several depending on the maturity of a client’s data privacy posture.
One challenge consistently facing clients is how to implement privacy compliance solutions that meet the growing number of local and national requirements demanded of a global privacy program. For example, I’m currently working with a client who falls within the scope of data protection laws in Bahrain, the EU, Singapore, and Brazil. There are challenges to building a program to meet multi-jurisdictional requirements and then actively demonstrating the business’s effectiveness at meeting those requirements.
Also, a client’s privacy program cannot be focused just on satisfying regulatory obligations but must address how privacy practices fit into their overall business strategy, making it a core part of the business model. The program must sit with the corporate vision about where the business wants to end up on the data privacy maturity scale to ensure alignment between risk tolerance and investment.
Even more basic than this, privacy programs often require clients to change their focus from protecting systems and applications to responsibly managing their information assets — and change is never easy. When you couple this with the fact that data often sits on multiple systems across an organization, implementation can be challenging.
DG: What is one piece of advice / lesson learned from GDPR that you would give to US companies who are dealing with upcoming privacy regulations
GW: On the surface, the idea of data privacy is pretty simple. However, in reality, data is rarely static but rather travels across servers, networks, into the cloud(s), and through various applications. Data privacy laws like the GDPR call on organizations to ensure that they protect their data assets across these multiple domains and applications.
For those organizations new to the game:
- Assess all your personal data processing activities to include an audit of any activities likely to involve the processing of personal data relating to EU data subjects.
- Put procedures in place to effectively detect, report and investigate personal data breaches. A strong security posture and implementation of a comprehensive privacy and data security plan is one of the most effective measures that companies can employ to mitigate the significant costs of remediating a data breach.
- Be aware of the legal risks of failing to comply with the GDPR (including the significant monetary fines), particularly:
- as new laws introduced globally will likely be (heavily) modeled on / influenced by, the GDPR; and
- in light of the increasing focus by international governments and regulators on the protection of personal data.
- Be prepared for demands from (EU) consumers and business partners to demonstrate compliance with GDPR standards. You can start to pre-empt this by reviewing contracts with your third-party vendors to determine where you may be in scope for the GDPR.
- Take steps to implement processes and procedures to address any compliance gaps including developing new data handling policies, updating contract provisions and privacy notices, and implementing appropriate technical and organizational security measures.
Enjoy this interview? Check out our previous Interview Series with Jeanne Sheahan, Head of Privacy Compliance at First Republic Bank!