In today’s borderless digital world, data protection enters a new era with the ushering in of the EU’s new General Data Protection Regulation. But how will media companies in the Middle East cover their backs?

For media companies across the Middle East, it has always been about the data. How to use it in a smarter, more intuitive way to more effectively deliver content to a particular audience. How to decipher the right approach to analytics in order to use data in the right way. How to choose the right third-party tool to gain those crucial deep data insights. In simple terms, data helps build brands and it drives business.

However, today, with the European Union’s (EU) General Data Protection Regulation (GDPR) now in full effect, advertising, publishing, marketing and media companies across the globe are being forced to realize the potential impact that this may have on their ability to access personal customer data and target individuals. But far more importantly (and perhaps worryingly), many organizations around the world are still at the stage of asking themselves if this applies to them, even within the EU itself.

Described as the “most important change in data privacy regulation in 20 years”, GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens and reshape the way organizations approach data privacy. One of the main changes under the new set of regulations is the extra-territorial applicability of GDPR.

“Virtually every company collecting and/or holding any data about any EU resident (they don’t have to be a citizen), irrespective of where your company is based, will have to comply with GDPR or face fines of up to €20 million or 4% of global turnover, whichever is larger,” explains Brian Chappell, who is the senior director of enterprise & solution architecture at BeyondTrust, a global information security software company. “GDPR is data protection legislation that is largely predicated around security best practice, but unlike regulations and laws previously, this one has teeth…big teeth, so don’t get caught out.”

According to research from cyber-security consultancy Help AG, fundamental misinterpretation of GDPR could expose Middle East organizations to business risks. Key measures to complying with the GDPR are the lawful processing of personal information, affording individuals the “right to be forgotten” and to access their personal data, implementing “privacy by design” rather than as an afterthought when developing new products and services, registering with a data protection agency, and the appointment of a Data Protection Officer (DPO).

Dr Angelika Eksteen, Chief Strategic Officer at Help AG says, “While fulfilling all these criteria may appear to be a daunting task, organizations need to understand the business risk of failing to meet requirements. This could mean losing or terminating business partnerships with EU-based companies, and even the possibility of heavy financial penalties and the associated reputational damage.”

In particular, every media company, marketing agency and publisher in the Middle East needs to ensure that they are GDPR compliant, so they can advise their clients on how to adequately prepare. Omnicom Media Group MENA, the regional media services division of Omnicom Group Inc., a leading global advertising and marketing communications service holding headquartered in New York, is certainly taking no chances.

“At Omnicom Media Group MENA, we have a team of data specialists dedicated to GDPR, working closely with our EU teams to advise our clients on best practice,” says Raouf Ketani, who is the Head of Annalect (the data and analytics arm of Omnicom Media Group MENA). “This team has also been constantly monitoring the media landscape in the lead-up to and post-implementation to ensure that we fully maximize the opportunity and mitigate any risks for our MENA clients.”

Hiring a DPO would certainly be one way to mitigate the risk. According to Ketani, although by law there is no requirement for a DPO, some businesses are already appointing one, either internally or by hiring an independent third-party individual to carry out this role. “In our view, any business that handles consumer data should dedicate someone entirely to this function to ensure that the data is treated in the most responsible way.”

Compliance auditing may also become a reality if a company does business in the EU “Look at it this way,” Ketani explains. “If you want to trade with their citizens, then EU regulatory bodies are well within their right to make sure you comply with their rules. Omnicom Media Group MENA agencies are maintaining their responsible attitude to data privacy in preparation for when the new legislation comes into effect. This means an extra level of vigilance when GDPR is implemented, ensuring all data transfers take place via a third-party onboarding partner, to ensure that ourselves, our clients and our partners are not exposed to any risk.”

“We also make sure we take all necessary precautions when purchasing media on a client’s behalf, safeguarding their assets and strictly adhering to the data laws in place,” he adds.

Although currently, in most countries in the Middle East, there are no general federal data protection laws comparable to those applicable in Europe and there are also no single national data protection regulators, there is an expectation that countries in the region could bring in their own data protection laws in the future.

“We believe this is the way things are going globally, particularly when you consider the fallout from the Cambridge Analytica leak,” Ketani says. “Even in the United States, the government is starting to hold companies responsible for the data protection of their consumers. Every country is going to get there eventually, largely because of the changing relationship between consumers and brands. Consumers are now demanding more control over how personal data is being used, looking for a fair value exchange for their details. This alone is a gamechanger for businesses, who will have to reconsider how they collect and use this data in future. GDPR is only the beginning.”

For media companies navigating the first few months of GDPR, the take-home message seems to be that the risk of non-compliance is simply too great to take any chances. Having a plan is the first step, but continuing to evolve and improve along with the changing digital landscape is even more vital.