Following the implementation of the General Data Protection Regulation (“GDPR”) in May 2018, we have been inundated with local clients asking to what extent GDPR impacts their business; and, to what extent are they required to comply. Due to the lack of a federal data protection regulatory framework in the UAE, clients have been unsure as to what changes, if any, they are required to make.

In contrast to “on-shore” clients, those registered within the Dubai International Financial Centre (“DIFC”) must comply with the current governing data protection law, the Data Protection Law, DIFC Law No. 1 of 2007. As many companies registered within the DIFC will also be caught by GDPR (and other relevant EU legislation), the Commissioner of the DIFC has issued a helpful guidance note, which takes account of all relevant laws to collate a list of “do’s” and “don’ts” when collecting and using individuals data. This guidance should be adhered to by all DIFC registered entities that engage in direct marketing with individuals.

Overview of guidance note

The DIFC Commissioners guidance notes sets out an overview together with do’s and don’ts covering the following topics:

  • Web scraping / Web mining
  • Consent / Opt-in
  • Third party consent or Indirect Consent
  • Soft Opt-in
  • Preference Services
  • Cold calling / telemarketing
  • Spam
  • Suppression Lists
  • Statistics and research

The main issue covered by several of the above topics is that of consent in relation to direct marketing communications. The key takeaway points are:

  • Where specific “opt-in” consent is required, the business must be sure that it can accurately collect, maintain, and update the validity of such consent. Effective means to withdraw consent are required, such as including an “unsubscribe” link in the body of the direct marketing email.
  • When considering whether or not third party consent/indirect consent is valid for use by a third party, it is imperative to look at the information provided when the initial consent was obtained, as third party consent cannot be inferred just because consent was granted to a similar organisation.
  • In the UAE, generally, “soft opt-in” provisions are not permitted and, the collection and use of personal data requires the express “opt-in” consent from the individual. Further, pre-ticked boxes are not allowed and to do not constitute valid agreement to pre-selected marketing preferences.

Concluding remarks

Given the very broad reach of the GDPR and the awareness of this regulation across the UAE, we expect to see similar legislation introduced at a federal level in the coming years. In anticipation of such federal legislation, increasingly we see our clients updating internal procedures to implement a more regulation based approach to the use, storage and collection of individual’s data. This includes undertaking steps to clean up marketing lists and add clear permissions to ensure data used only for the specific purpose for which it is collected.

Therefore, to the extent they have not already done so, businesses across the MENA region need to give due consideration to the data protection laws they are required to comply with, including free zone laws such as the DIFC Data Protection Law and the GDPR. In any event, the DIFC Commissioner’s guidance provides a good starting point of the best practices to adopt.