7 years in the making, the General Data Protection Regulation (GDPR) is a successor to the 1995 Data Protection Directive, and has been designed to safeguard people’s personal information. The legal implication is that, from the 25th of May 2018, individuals have the power to demand that a company reveals or deletes the personal data they hold, while regulators will be able to work together across the EU, enforcing their decisions with penalties.
The regulation replaces all current data protection laws in every European Union (EU) country, with a view to strengthening and normalizing data protection for individuals across the EU. It also addresses the export of personal data outside the EU, and this is where entities operating beyond the Union, like those in the UAE, will be affected.
Here’s everything you need to know about GDPR, and what it means for you as a business operating in the UAE.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It charts out the principles for data management and the rights of an individual, while also imposing penalties that can be monetary.
What type of data does it apply to?
The GDPR applies to all ‘personal data’, which is widely defined and includes names, addresses, emails, etc. and also IP addresses. For most companies, the main databases of personal information relate to clients, employees and suppliers.
What’s the deadline for GDPR compliance?
All organizations are expected to be compliant with GDPR by 25 May 2018.
My company doesn’t operate in the EU. Does GDPR still apply to me?
GDPR would apply to you if you are a company
- Having a branch, subsidiary or any representative in the EU
- Offering any goods or services to persons located in the EU
- Monitoring the online behaviour of persons located in the EU
What should an organization keep in mind with regard to the GDPR?
The GDPR’s legislation, comprising 99 articles, delineates how companies must handle the data they collect. Data breaches are required to be disclosed within 72 hours after an organization discovers it. The use of sensitive data, such as someone’s ethnicity or political views, cannot be used by organizations when deciding on a course of action, for example, a bank cannot base its decision to approve a loan based on sensitive data. Sending out mass marketing emails to people that have not wilfully subscribed is also not permitted.
What is the penalty in case of non-compliance with the GDPR?
Any organization that violates the rules could face fines of up to 4% of their global annual revenue or €20 million (about $21.2 million), whichever is greater.
What does the GDPR mean for customers?
Individuals will have more granular control of their own personal data, including the right to be forgotten. Companies need to have a plan to completely remove inactive user data from their system.
What about the existing data protection laws in the UAE?
Many Middle Eastern countries have already implemented their own data protection regulations. For instance, Qatar issued a Data Privacy and Protection Law in 2016, which is closely aligned with the GDPR. However, Middle Eastern countries’ privacy and breach notification regulations, in general, are less strict and detailed than the GDPR.
Currently, UAE regulatory bodies such as Dubai International Financial Centre, Abu Dhabi Global Markets and Dubai Healthcare City Authority have their own data protection laws, which are oriented with the imminently-obsolete EU Data Protection Directive 95/46/EC. This would call for a revamp or revision of said guidelines.
What should a business do to check its alignment with the GDPR?
A company falling in the purview of the GDPR should analyse its decision-making with respect to:
- Demonstrating its ability to manage and protect personal data
- Devising ways to report breach incidents within 72 hours
- Determining who will take the lead role in data protection and privacy, whether the executive management, the board, the Chief Information Security Officer (CISO) or a data protection officer
What are some of the best practices, in relation to the GDPR, advisable for companies?
A business should try to:
- Establish transparent and easily accessible privacy and data protection policies and procedures
- Review and update all existing contracts with data processors and customers to provide for more stringent data protection and consent clauses
- Create a framework for accountability by monitoring, reviewing and assessing data processing activities
- Evaluate insurance policies to ensure the company is adequately protected in the event of a data breach
- Conduct internal training sessions to ensure employee compliance with the new data protection obligations
- Consider whether employment of a data protection officer is required
It will be important for businesses in the UAE to assess all personal data processing activities. This should encompass an audit of any activities likely to involve the processing of personal data relating to individuals in the EU, including information that indirectly identifies such individuals (such as IP addresses or customer reference numbers).