How Can Pakistani Startups Ensure European GDPR Compliance?

Data, in today’s digitalized age, is the most important asset to protect. If you have a Pakistani startups which requires online customer information collection, then data privacy compliance is of the utmost importance for the success of your business. No matter the size of your company, if your business deals in data and private information, then data compliance is critical for your company’s smooth functioning.

What Is GPDR?

GDPR stands for the ‘General Data Protection Regulation’, which was passed by the European Parliament and Council of the European Union (EU) in 2016; the regulation protects the interests of all natural persons within the EU with regards to collection, movement, or use of their personal data.

This new law is meant to hold organizations accountable for misuse or breach of data. The regulation aims at streamlining the digital economy of EU by creating a common base upon which all organizations must build their data security setups and ensure that the citizens of EU have greater control over their personal information

The three key actors under the GDPR are:

• Data subject: the EU citizens whose personal information is collected and processed by the controller
• Controller: An entity that establishes the purposes and means by which the data is processed
• Processor: An entity that only processes data at the controller’s order

Is GDPR Applicable to Companies in Pakistani startups?

While the focus of GDPR is solely to protect the data rights of the citizens of the EU member states, compliance with its rules is important as a company operational in Pakistani startups if you provide any delivery of any services, or goods to EU nationals, or collect or process their data, no matter where in the world you are sitting.

According to Article 3 of GDPR:

1. The Regulation will apply to the activities of controllers and processors in the processing of personal data when the processing is being conducted outside the EU territory.
2. The Regulation will apply to controllers and processors established outside the EU for processing of personal data of data subjects, where the processing activities are related to:
   • The provision of goods or services, regardless of whether a payment of the data subject is required, to such data subjects in the Union; or
   • the monitoring of their behavior as far as their behavior takes place within the Union.
3. The Regulation will also apply to a controller not established in EU, who processes personal data of a data subject, but belongs to a region where the law applies due to public international law.

Therefore, businesses of all sizes in Pakistani startups, who either provide goods or services to the EU citizens, or process their data, or are looking to expand their business and enter the EU market, must ensure compliance with GDPR rules.

Key Requirements Under The GDPR

Organizations must comply with and ensure action on the following key requirements:

• Data security: businesses must employ a suitable level of security, including both technical and organizational security controls, in order to avoid information loss, data leaks, or misuse of data through unauthorized processing operations. To this end, encryptions, network and system integrity, incident management, and resilience requirements are encouraged by GDPR for companies to incorporate into their security programs.
• Extended rights of individuals: rights of the data subjects have been given greater importance and these individuals have been given greater control over their own data and private information. The data subjects must, therefore, be given the right to control how their data is used, where it is shared and sent, and when it needs to be removed from the server and forgotten.
• Data breach notification: In the event of data breaches, the companies are liable to send notifications to their regulators, as well as the impacted data subject, at the earliest and without undue delay after becoming aware that their data has been subject to a data breach.
• Security audits: In order to practice accountability of all companies, the companies are all required to maintain records and provide evidence of their security practices, as well as to conduct audit the effectiveness of their security program. Where lacking, companies are required to take corrective measures in all appropriate areas.

Why Is GDPR Important in The Context of Pakistani startups?

Pakistani startups has much to learn in the field of data protection; there is a callous disregard in implementation of appropriate security mechanisms which are up to the mark. The amount of privacy and information breaches reported to the National Database and Registration Authority (NADRA) show the lack of measures implemented by most companies, controllers and processors.

The data protection laws in Pakistani startups as well focus more on saving companies, rather than safeguarding the individuals whose private data and information is constantly at risk, unlike EU’s GDPR which is more focused on the rights of the data subjects.

GDPR ensures companies gather and store data legally, and under strict condition; the organizations are obligated to protect it from misuse, breach, theft or unauthorized distribution.

The European Union has no doubt worked extensively on data privacy, something that Pakistani startups must learn from and implement in its own jurisdiction. For Pakistani startups and businesses in Pakistani startups looking to work in EU, the following conditions should be kept in mind before creating a data security plan, as published in the EU official documents published:

“Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done on a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The data owner has the right to revoke this permission at any time”.

The Next Step?

If you are a Pakistani startups, or a business which deals in data collection from EU, or looking to expand to the EU market and wish to comply with the GDPR, then KLA can provide you with the soundest advise and the beneficial security plans. Our team of experts in Pakistani startups, and in Germany, can guide you according to your business requirements so that your business does not suffer any loss or damage, and can thrive to its full potential!

For more information on our work with data privacy, please check: https://localhost/testsite/practice/it-and-data-protection/

About Author:-  Mr. Khawaja is an International Technology Lawyer based in Düsseldorf, Germany and managing partner of KLA Germany. He is known for providing robust solution with pragmatic approach on topics related to IT law, GDPR, IP, Pakistani startups, Investment and International Trade.