Muscat: Companies in Oman doing business with the European Union (EU) or hiring EU nationals will soon fall under the new privacy regulations introduced by the 28-member bloc.
The General Data Protection Regulation (GDPR) starts in May and contains regulations on handling the personal data of EU nationals gathered inside or outside the EU. While Omani firms are not liable to EU penalties, failure to comply with the new regulations could leave their websites or financial transactions blocked in members states.
The GDPR replaces the existing European data protection framework that was set out for the EU in 1995 and contains some major modifications. There are three areas under which the GDPR will be applicable.
Firstly, an organisation that operates in the EU; secondly, if an organisation is providing goods and services to EU residents, even though it is not physically present on European soil; thirdly any organisation that monitors behaviour or stores information about EU residents.
“If there is an EU resident whom an organisation in Oman hires, it has to change the hiring process to make sure it is compliant with the GDPR. Any organisation monitoring online behaviour of EU residents will also fall under companies that must follow GDPR. This can include both banks and retail companies,” Lalit Kalra, Senior Manager at EY, explained.
“The law now expands to companies operating beyond the EU boundaries, such as in the GCC. Moreover, if a company is doing some data analytics on behalf of a company in EU, it becomes a processor, so it would become equally responsible for GDPR. More importantly, personal data that was earlier restricted to passport number, email ID, and mobile number has now been extended to anything that can uniquely be attributed to an individual as personal data. This will mean that ethnicity, caste, online browsing details, and cookie information all fall under personal data,” Kalra added.
Individuals will also have new rights under this law that includes the right to be forgotten and the right to object to profiling. This implies that a customer or an employee can ask the company to delete all personal information it holds in its database.
“It is one of the most balanced frameworks in terms of privacy across the world. It is not too lenient or stringent, so it gives an added advantage to businesses. They can show that they have better standards for following personal privacy. It isn’t cost of compliance but cost of doing business with the EU,” Mohammed Nayaz, Partner, IT risk and Resilience at EY, said.
A company found violating this law in the EU risks a penalty of four per cent of global revenue or 20 million euros, whichever is higher.