A GDPR guide for the GCC’s small businesses

Many small businesses in the GCC (Gulf Cooperation Council) region mistakenly believe the EU GDPR (General Data Protection Regulation) doesn’t affect them because they are not based in Europe and have fewer than 250 employees.

Our GCC small business guide to the GDPR should help clarify things.

Does the GDPR apply to my GCC-based company?

If your organisation collects EU residents’ personal data, you need to comply with the GDPR.

The Regulation, which came into effect on 25 May 2018, applies to any organisation in the world that monitors the behavior of, or offers goods and services to, EU residents – meaning that many organisations in the GCC region are affected. It is very likely that you will need to make changes to your data processing practices.

Does the GDPR apply to small businesses?

Article 30 of the GDPR states that the Article (which relates to the documentation controllers and processors must keep regarding data processing) “will not apply to small businesses except if the processing results in a risk to the rights and freedoms or data subjects, processing is not occasional, or the processing includes special categories of data as referred to in article 9, or personal data relating to criminal convictions and offences”.

This means that there is limited exemption for small businesses so you might not need the comprehensive documentation that larger businesses are required to keep. Nevertheless, you may find that your customers or suppliers will ask you to have such documentation within their new GDPR-compliant contracts, so having it may give you a competitive advantage, and you will still need to comply with the rest of the regulation.

Do I need a data protection officer?

The GDPR states that specific organisations must appoint a DPO (data protection officer). Small businesses are not exempt, so if you fall into the following categories, you’ll need a DPO:

  • You are a public authority (except for courts acting in their judicial capacity).
  • You carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking).
  • You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.

The good news is, you aren’t obliged to hire a full-time employee for this role. You can have someone who performs this alongside other duties (if they aren’t processing data and don’t have a conflict of interest), you can share a DPO with other organisations or you can outsource the role entirely. It may seem a daunting and expensive prospect, but there are cost-effective options out there for small businesses.

The key steps to GDPR compliance

The ability to prove GDPR compliance is critical, and a comprehensive and effective privacy compliance framework will develop evidence to support your compliance claims.

This checklist highlights the essential steps you need to demonstrate compliance. Some of these will supplement existing measures that many organisations adopt to comply with national laws in the Gulf region, including the DIFC Data Protection Law 2007, Abu Dhabi Global Market’s Data Protection Regulations and Qatar Personal Privacy Protection Law.

You can find more information about the differences between data protection laws in the GCC countries and the EU here >>

The GDPR - key steps for companies in the Gulf