I’m sure you’ve seen it all over the web - Linkedin, Twitter, news, blogs – people talking about something called GDPR (or sometimes GRDP or GDRP), companies are all of a sudden spamming you with notices of changes in their data privacy policies and requesting consent for marketing. And you are left wondering: what exactly is GDPR and how does it affect me?
GDPR is simply the abbreviation of a new set of EU rules on personal data protection known as the General Data Protection Regulation. And when we say personal data protection, we do not refer to cyber security, but to the processes, policies, internal controls and measures an organization needs to put in place to ensure that it processes data legally, fairly, transparently and securely. If cyber security is an important milestone for data protection, it is by far insufficient to enable privacy compliance. The GDPR contains 99 articles and will come into effect on the 25 May 2018 replacing the 20+ year-old EU Directive on personal data protection. While the GDPR is an EU legislation, it will affect companies targeting EU markets – whether these companies are based in Europe or not. The GDPR seeks to address directly the challenges of the new era of big data, artificial intelligence (AI) and complex data ecosystems. One of its main goals is to sufficiently empower individuals with control over their data and secure an appropriate standard of enforcement.
With its extra territorial scope, the GDPR will apply to companies based in the UAE that collect, store, access, use or manipulate in any other way data of people in the EU. It will apply as well to companies based in UAE that have establishment within the EU. This means that any company offering goods or services to the EU market would potentially be affected by the GDPR. The GDPR is not industry specific. Any e-commerce, hospitality service, airline company, social media, big retail, but not limited in any way to these indicative examples, can be affected by the GDPR.
Putting GDPR aside, privacy and data governance should be high on UAE’s agenda given that the country strives to position itself as a hub for innovation with specific focus on digital and AI. For instance, the UAE has appointed a dedicated Minister of State for Artificial Intelligence and has developed a UAE Centennial 2071 Strategy aiming to transform the UAE into the best country in the world. One of the pillars for achieving this is to promote advanced technology and engineering. High-budget projects on digital transformation have been multiplying, along with initiatives around cryptocurrencies and blockchain. For example, the UAE has launched an end-to-end virtual courtroom (ADGM eCourts).
While there is no general data protection law in the UAE which applies uniformly across the country, there are provisions in relation to privacy and personal data protection contained in the UAE Constitution, the Cyber Crime Law (Federal Decree Law No. 5 of 2012), and the Telecommunications Law (Federal Law by Decree No. (3) of 2003). In addition, Dubai International Financial Center (DIFC), a free zone, has its own data protection regime, which is comparable to the EU legislative framework. Generally, the UAE has acknowledged the importance of privacy and personal data protection. At the Data Privacy Day this year, the Ministry of Finance stated that privacy and data protection is more important than ever before and that implementing best international practices on data protection is crucial for establishing a sound economic environment that gains the trust of investors and financial institutions.
GDPR being considered as the highest standard of privacy protection world-wide, UAE companies willing to embed privacy within their culture can only benefit by using GDPR as a reference regardless whether it applies to them directly or not.
First, because of the fines. The GDPR foresees fines that can reach up to 4% of the group/global turnover of companies or EUR 20 million (or about AED 85 million), whichever is higher. These are maximum fines, so don’t panic!
Second, because of its reach. With its extended territorial scope globally, the GDPR will affect a large number of companies overseas.
Third, reputational impact. Data is the oil of our era and its protection is key. Privacy has become a trend that is not going away anytime soon. This is evident from the high-profile cases on data and privacy breaches making the headlines daily. Facebook, Equifax, Yahoo, Uber, to name just a few, have seen the value of their shares dropping drastically after their data cases, followed by a decreased trust amongst customers.
Dealing with big data without well-embedded privacy and data governance, as a foundation, is not sustainable anymore, so organizations better adapt. GDPR is perceived as the new “gold standard” for privacy and many countries intending to reform their existing privacy regulations or introduce a privacy regulation will most probably look to the GDPR. So, whether GDPR directly applies to your organization or not, do you really want to be the one that will remain in silo and choose to be outdated and vulnerable to reputational damage? With individuals becoming increasingly aware of their rights, such as the “right to be forgotten”, this trend is only likely to increase.
Yes, there are potentially big fines associated with GDPR, but don’t panic. It would be surprising if as of 26 May (a Saturday), regulators open a witch-hunt for companies and start fining them millions. We all know that 100% compliance with any new legislation is difficult. Therefore, UAE companies should take a risk-based approach and start doing their homework to limit the risk of a fine and/or reputational damage and demonstrate accountability. In case of a breach leading to a potential fine, regulators will likely take into account multiple factors while determining the amount of the fine. These could be the severity and impact of the breach on individuals’ rights and the ability of the organization to demonstrate that they have not been neglecting privacy and have done their due-diligence.
Take it step-by-step but don’t wait too long to start your privacy improvement exercise as it is a journey rather than a tick-box exercise. You don’t want to wait too long and take the risk of being under the spotlight of a data or privacy breach. As a start you could engage into a privacy health check, if you haven’t done one yet, and determine your key risk areas and how important privacy is to your organization. Then, embark onto a privacy remediation program. Depending on the size of your organization and how data-driven you are, this could mean six months, a year or even two. One should not underestimate the time and resources necessary for a successful privacy improvement program. Most of the time, privacy is something quite new to companies, which means that designing the necessary privacy controls and processes is one thing, but effectively implementing these is another. Privacy improvement programs are change management programs – they take time as they often require an important shift in organizational culture. Therefore, it is important that you start as early as you can, as neither compliance with 99 articles nor successful implementation of privacy within an organization can be achieved in a day.
More and more companies in the UAE are becoming increasingly aware that GDPR is likely to apply to them. But the fact that companies world-wide are taking action on privacy and GDPR is creating a general sense of urgency. Some companies in the region have already embarked onto fully-fledged privacy improvement programs, privacy audits and started appointing Data Protection Officers or similar specialized functions with privacy expertise to help them embed privacy compliance effectively. Companies have started looking at how they manage consent collection and withdrawal, revisiting their privacy notices, and conducting privacy trainings and awareness campaigns.
Generally, organizations have started realizing that privacy is a core component of data governance and that with GDPR or not, privacy has become a competitive necessity. The trend of privacy as a pure compliance matter is fading away and some companies have built strategies around privacy and integrated it in their Corporate Responsibility agenda.
The bottom-line is that establishing privacy as a core value within your organization can be an opportunity to reposition your brand on the market and build a competitive advantage, because nowadays privacy equals consumer trust.
Written by Dessi Vitcheva