What is the GDPR?
The General Data Protection Regulation, or GDPR, is coming into effect on 25th May 2018, and many UAE businesses that handle EU citizen’s personal data are contemplating how it will affect them and what they need to do to comply.
IT teams now have just over six months to ensure that their companies policies and processes adhere to the new regulations, and if they don’t, that they able to change them before the deadline rolls around.
Failure to do so may mean a fine of up to €20 million or 4% of the organisation’s global annual turnover (whichever is higher). Depending on a company’s size and structure, the GDPR has the potential of exposing companies to penalties amounting to billions of euros.
Who will need to be compliant?
It’s not simply EU companies that are affected by the GDPR. Organisations outside of the EU, including the UAE, must be compliant if:
1) They have branches, representatives or subsidiaries in the EU
2) They provide goods or services to EU citizens, even if they have no physical presence within the EU
3) They process and analyse EU citizens personal data in any way, even if they have no physical presence, or provide no goods or services to the EU
As the European Union and the United Arab Emirates have a substantial trading relationship, it will be important to comply with the GDPR for this to continue.
Is your business going to be affected by the GDPR?
Yes. So, where do you go from here?
You have 2 options:
1) If you DO NOT WANT to be affected, then you must determine how your business will need to change so that it doesn’t deal with EU citizen’s personal data
- Make it clear your company’s website/app is not intended for EU citizens. Make use of geo-blocking technology where access to your content is restricted based upon geographical location.
2) If you ACCEPT you’re going to be affected, start looking at the necessary steps you will have to take to comply.
- Let’s have a look at some of the information below
The key challenges of GDPR compliance
- “Personal data” is now more specific, including IP addresses, location data and device ID’s, and “sensitive personal data” now includes genetic and biometric data.
Does your company handle any of this newly specified data?
- “Accountability and Governance” are now included in the GDPR regulations. Article 5(2) states “a controller shall be responsible for, and be able to demonstrate, compliance with the principles” of handling an individual’s personal data. This means an enhancement on record keeping and current data protection policies.
Does your company require a specific data protection officer?
- An individual’s rights are more in depth, allowing them access whenever they ask for it. Also, consent for an organisation to use an individual’s personal data must be obvious, freely given, and clear. They must also be informed of what it will be used for, and everything must be recorded in an audit trail.
Does your company manage consent data now?
They will only be valid if they meet the new requirements. If they do not, all consents must be renewed.
- Data must be transparent, and your company must know where, how and for what purposes personal data is being processed. Data mapping, new policies and procedures, and general awareness training for staff are necessities for companies to comply.
For example, once data is no longer needed for the lawful basis of which your company obtained it, it should not be kept. All data must also be accurate and up to date.
- Security processes must be robust for companies to keep EU citizen’s personal data safe. Procedures must also be in place for when there is a breach.
Why should the UAE care about the GDPR?
Reported in Gemalto’s 2016 Breach Level Index, worldwide data breaches were up by 86% compared to 2015. The UAE alone was up by almost 17% with identity theft accounting for the majority. Data security is becoming much more important to companies who wish to keep their customer’s information safe.
Currently, data protection and privacy differ across Middle Eastern countries. There is no federal data protection law within the UAE, for example. If there are policies in place, they are localised for individuals and organisations, and are often very general.
Some parts of the UAE operate as “economic free zones”, which have “independent privacy regimes” such as the Dubai International Finance Centre (DFIC). But changes are already set to occur to generate harmonisation with the GDPR and to toughen the policies currently in place.
According to Dr. Jassim Haji, Director of IT at Gulf Air, the GDPR could even “serve as a catalyst for nations in the [Middle Eastern] region to enforce stronger privacy protections”. It is currently not mandatory to disclose breaches either, and so the GDPR will all.