7 years in the making, the General Data Protection Regulation (GDPR) is a successor to the 1995 Data Protection Directive and has been designed to safeguard people’s personal information. The legal implication is that, from the 25th of May 2018, individuals have the power to demand that a company reveals or deletes the personal data they hold, while regulators will be able to work together across the EU, enforcing their decisions with penalties.
The regulation replaces all current data protection laws in every European Union (EU) country, with a view to strengthening and normalizing data protection for individuals across the EU. It also addresses the export of personal data outside the EU, and this is where entities operating beyond the Union, like those in the UAE, will be affected.
Here’s everything you need to know about GDPR, and what it means for you as a business operating in the UAE.
Back to topWhat is the GDPR UAE?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It charts out the principles for data management and the rights of an individual, while also imposing penalties that can be monetary.
Back to topWhat type of data does it apply to?
The GDPR applies to all ‘personal data’, which is widely defined and includes names, addresses, emails, etc. and also IP addresses. For most companies, the main databases of personal information relating to clients, employees, and suppliers.
Back to topWhat’s the deadline for GDPR compliance?
All organizations are expected to be compliant with GDPR by 25 May 2018.
Back to topMy company doesn’t operate in the EU. Does GDPR still apply to me?
GDPR would apply to you if you are a company
- Having a branch, subsidiary or any representative in the EU
- Offering any goods or services to persons located in the EU
- Monitoring the online behaviour of persons located in the EU
What should an organization keep in mind with regard to the GDPR?
The GDPR’s legislation, comprising 99 articles, delineates how companies must handle the data they collect. Data breaches are required to be disclosed within 72 hours after an organization discovers it. The use of sensitive data, such as someone’s ethnicity or political views, cannot be used by organizations when deciding on a course of action, for example, a bank cannot base its decision to approve a loan based on sensitive data. Sending out mass marketing emails to people that have not wilfully subscribed is also not permitted.
Back to topWhat is the penalty in case of non-compliance with the GDPR?
Any organization that violates the rules could face fines of up to 4% of their global annual revenue or €20 million (about $21.2 million), whichever is greater.
Back to topWhat does the GDPR mean for customers?
Individuals will have more granular control of their own personal data, including the right to be forgotten. Companies need to have a plan to completely remove inactive user data from their system.
Back to topWhat about the Existing Data Protection Laws in the UAE?
Many Middle Eastern countries have already implemented their own data protection regulations. For instance, Qatar issued a Data Privacy and Protection Law in 2016, which is closely aligned with the GDPR. However, Middle Eastern countries’ privacy and breach notification regulations, in general, are less strict and detailed than the GDPR.
Currently, UAE regulatory bodies such as Dubai International Financial Centre, Abu Dhabi Global Markets and Dubai Healthcare City Authority have their own data protection act, which are oriented with the imminently-obsolete EU Data Protection Directive 95/46/EC. This would call for a revamp or revision of said guidelines.
Back to topWhat should a Business do to Check its Alignment with the GDPR?
A company falling in the purview of the GDPR regulation should analyze its decision-making with respect to:
- Demonstrating its ability to manage and protect personal data
- Devising ways to report breach incidents within 72 hours
- Determining who will take the lead role in data protection and privacy, whether the executive management, the board, the Chief Information Security Officer (CISO) or a data protection officer
What are some of the best practices, in relation to the GDPR, advisable for companies?
A business should try to:
- Establish transparent and easily accessible privacy and data protection policies and procedures
- Review and update all existing contracts with data processors and customers to provide for more stringent data protection and consent clauses
- Create a framework for accountability by monitoring, reviewing and assessing data processing activities
- Evaluate insurance policies to ensure the company is adequately protected in the event of a data breach
- Conduct internal training sessions to ensure employee compliance with the new data protection obligations
- Consider whether the employment of a data protection officer is required
It will be important for businesses in the UAE to assess all personal data processing activities. This should encompass an audit of any activities likely to involve the processing of personal data relating to individuals in the EU, including information that indirectly identifies such individuals (such as IP addresses or customer reference numbers).
Back to topWhat is the simple definition of GDPR?
It is a European Union law that takes in charge of the processing and storing of personal data.
Is GDPR applicable in UAE?
Any company in the UAE that processes personal data and sells products or services to people in the EU, it is mandated for the company to comply with the GDPR.
What is UAE data protection law 2021?
This law forbids the use of private data without the permission of the owner except in some cases like legal procedures, protection of public interest etc.
What is the impact of GDPR in UAE?
It has impacted the two main free zones of Dubai which is DIFC and ADMG which already had data protection laws.
What are the industries affected by GDPR?
There are many industries which may be impacted by GDPR. Social media platforms, financial services, the technology industry and e-commerce are some of them.