The General Data Protection Regulation (‘GDPR’) comes into force on 25 May 2018 and is intended to harmonise data protection across Europe and safeguard personal data from privacy and data breaches arising from its processing in the EU, as well as potentially elsewhere. The GDPR will replace the existing EU Data Protection Directive which is currently implemented in each EU country.
It is well known that the GDPR will have a significant effect on companies in the EU, however, many UAE companies remain unclear as to whether and to what extent this European legislation may also have an impact on their businesses, particularly if they do not have direct operations in the EU.
Six things UAE companies need to know about the GDPR
UAE companies may be caught by the GDPR and if so, they will be subject to its provisions and responsible for compliance with certain of its obligations. Below we highlight six of the main things UAE companies need to be aware of in relation to the GDPR:
1. Wide scope
The GDPR applies to companies located within the EU who hold ‘personal data’ i.e. that which is identifiable to an individual (a ‘Data Subject’).
It also however applies to companies located outside of the EU, including the UAE, if they:
- offer (or envisage offering) goods or services to Data Subjects in the EU; or
- monitor the behaviour in the EU of Data Subjects.
This significantly broadens the scope of the GDPR to well outside of EU boundaries, and will consequently mean that many UAE companies could fall within scope of the GDPR’s provisions. Examples of how a UAE company may be caught by the GDPR include:
- sending certain material to EU based businesses;
- monitoring Data Subjects via cookies when they access the company’s website;
- capturing data from Data Subjects through mobile apps, websites etc. for analytical purposes; and
- where UAE companies outsource the storage or processing of, for example, customer information to data centres or service providers located in the EU, they would indirectly fall within its reach by virtue of the location of these providers.
2. Privacy by design
The GDPR does not allow for a ‘one size fits all’ approach and insists upon ‘privacy by design’ which means considering data protection at the outset of any project, product or system, and building in elements addressing those considerations from the start. Privacy by design is not a new concept, however, as the United Kingdom’s Information Commissioner’s Office points out, data protection compliance is often ‘bolted on as an after-thought or ignored altogether’. The GDPR seeks to change that.
3. Compliance must be demonstrated
Under the GDPR, there is a big focus on accountability and one of the biggest changes compared to the previous legislation is that companies must be able to demonstrate compliance. The intention behind this is to force a more proactive approach to data protection. The practicalities of this mean that companies must be in a position to reflect and record their actual compliance, for example, by maintaining a comprehensive audit trail.
4. No ‘broad-brush’ consent
Broad-brush consents to data processing and the old pre-filled tick box approach will not suffice, as the thresholds for compliance will be higher under the GDPR. A request for consent must be given in an intelligible and easily accessible form, along with details of the purpose for the processing the data. Consent received must be clear and it must be made as easy for a Data Subject to withdraw consent as it was to give it.
5. Action stations
The GDPR comes into force on 25 May 2018 and many companies have been taking action to get ‘GDPR ready’ for several months, even years in the case of larger organisations. Below are what we consider to be the three main actions UAE companies should take asap:
- Conduct a Data Protection Audit
UAE companies should consider and take advice as to whether, and to what extent, they are caught by the GDPR’s scope and to do this a comprehensive operational audit should be conducted. It is also important for companies to assess and understand what, if any, personal data of Data Subjects they actually hold, where, and for what purpose.
- Be aware of legal risks
Ensure that the entire business is aware of the legal risks associated with the GDPR so that they can remain pro-active. For example, it is possible that some UAE companies may not currently be caught by the GDPR, but future projects, such as the launch of a new website which includes cookies, may mean that they fall under the GDPR in the future.
- Review and update agreements
UAE companies need to ensure that their agreements with customers and third parties (including standard terms of business in print and online) are GDPR ready. By this we mean that existing data protection provisions should be assessed and amended if they are not fit for purpose, and, where relevant, new provisions should be introduced that specifically deal with the GDPR.
6. Substantial fines
EU Regulators can impose significant fines for breaches of the GDPR, up to a maximum of 4% of annual global turnover or €20 million, whichever is the higher.
UAE companies should not assume that the GDPR will simply not apply to them by the virtue of their non-EU based business. Close consideration ought now to be given to whether, and to what extent, your business is caught by the broadened, potential extra-territorial scope of the GDPR.
If the GDPR does apply, UAE businesses must take action to ensure that they are compliant with the GDPR’s requirements and stringent timeframes, or risk being hit with hefty fines.
UAE businesses should also take the opportunity to ensure compliance with other applicable data protection legislation, including, of course, UAE laws and regulations.