Four tips on robust compliance for UAE businesses in the age of GDPR

We recently observed the fourth anniversary of the European Union’s General Data Protection Regulation (GDPR) amid reports of record-breaking fines. In an indication of the EU’s resolve on data issues, a significant proportion of these fines were levied outside Europe, the Middle East and Africa, particularly in America, where five major cases alone accounted for more than $1.2bn in penalties.

In March, the EU and the US jointly announced plans for a new cooperative data-privacy framework to govern transatlantic data traffic. While to date the so-called Privacy Shield 2.0 is assumed to only affect these two nations, it is not unforeseeable that other territories will follow suit. The UAE, for example, has shown its commitment to issues of data management and privacy. UAE Federal Decree Law No 45 of 2021, known as the Personal Data Protection (PDP) law offers sweeping protections designed to reflect international best practices. It covers everything from the confidentiality of information to individual privacy, with immense weight given to data management and protection, including the processing of personal data, whether this takes place inside the country or abroad. The law came into force on January 2 this year and we are now deep into its six-month compliance window, which started in March.

Before the pandemic, we had already seen a data explosion. But when lockdowns hit, the shape of the IT environment shifted into a complex, multi-domain ecosystem with millions of remote workers. In this new architecture, data resides in many more storage locations than previously. This distributed storage is reflected in the record GDPR fines, as companies wrestle with the concept of compliance amid proprietary silos of data.

Move with the times
Meanwhile, IT teams, which devote inordinate amounts of time and resources to governance, archiving, and compliance issues, are on the frontlines of a firefight against complexity. And their problems escalate along with data volumes and new regulations. In the UAE, enterprises are subject to the PDP law, but also to international standards such as GDPR. But in the post-Covid technology sprawl, how are IT leaders supposed to determine which data is redundant? Or the risk level of a specific storage location when they may not even be aware of its existence?

Tackling these data dispersion issues can be costly. Point-product solutions rarely integrate well with one another and may not be capable of providing visibility and control within complex architectures such as those we see today. Such a scattering of data is alluring to ransomware gangs, and business-continuity plans may be under threat if the precise nature of data storage is not understood.

It is time to move with the times. A new approach to data management is required – one that makes compliance easier and delivers advanced security while removing data silos. The result, in short, is reduced complexity. Here are four tips that sum up the new approach.

1. Determine access and value
Knowing what you have is the first step in protecting it. Knowing the location of all data is vital, but so is its classification. Governance and compliance come from this very foundation; every piece of data has an importance, a risk profile, a sensitivity rating. Once this information is known, data managers must ask themselves who has access to the data and why. Do they need this access to do their job? Questions such as these can be answered by artificial intelligence and machine learning technologies that identify anomalous behaviour concerning data and help flag threats at an early stage.

2. Build comprehensive views
Data managers – once they know the location (on-premises, hybrid cloud or elsewhere), status, and permissions of all data – can monitor the information landscape from a dashboard only they and a privileged few can access, through strict, multifactor authentication.

3. Build for resilience and scalability
“Backup, backup, backup,” has been the cry of IT managers, cybersecurity analysts, risk consultants, and a range of other experts since the dawn of the information age. Today, given the complexity of IT environments, next–generation data management platforms based on hyper–converged file systems are really the only viable option for enterprises that want to scale at will and go beyond the zero trust security model. On top of other security measures, the latest data management solutions offer the capability to create immutable snapshots – relatively small pseudo-backup files that only record changes since the previous snapshot, and cannot be altered, overwritten, or deleted. Additionally, the data management platform should encrypt data, both at rest and in transit.

4. Embrace the cloud
If all of this seems too much for an overwhelmed IT team to handle, organisations can seek out providers of data management as a service (DMaaS), which covers back-up, security, governance, and analysis, and frees up IT teams to focus on more innovative, business-oriented pursuits.

More on the way
There is no sign that governments will say “enough is enough” on regulation. As more issues arise and as more attacks occur, authorities in the UAE and around the world will inevitably up their game to force private enterprises to up theirs. We now live in a global digital economy. We know the potential for prosperity by being active participants in that economy, but we also know the risks. Individual nations will continue to protect their citizens and businesses from bad actors by making best practices mandatory. In the face of this, modern data management platforms are the only way enterprises can keep pace with requirements. But these platforms bring other benefits, such as decreased costs and time, and the potential for innovation through business intelligence. After all, data, managed well, is currency.

Gregg Petersen is the regional director – MEA at Cohesity

Read: How outsourcing data centre operations can drive the growth of Middle East companies