The impact of the GDPR on organisations in the UAE

Most of us have heard about the EU’s GDPR (General Data Protection Regulation), which came into effect on 25 May 2018. It applies to any organisation offering goods and services to, or monitoring the behaviour of, EU Residents – irrespective of where the organisation is based or the data is processed.

As UAE is a hospitable country and considered a major hub for international travellers, organisations in the UAE should take steps to comply with the GDPR.

With an appropriate data protection compliance framework in place, organisations in the UAE that process EU residents’ personal information not only will be able to avoid potentially significant fines and reputational damage but also show their customers that they are trustworthy and responsible, and ultimately derive added value from the data they hold.

Data subjects’ rights under the GDPR

The GDPR gives EU residents more control over how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data privacy and protection.

However, some organisations in the UAE and GCC (Gulf Cooperation Council) region still have insufficient knowledge of the Regulation’s requirements and data subjects’ rights under this law.

Some of their key rights are:

  • Right of access – Data subjects have the right to obtain confirmation from the data controller on whether personal data concerning them is being processed, where that processing takes place and for what purpose. The controller should provide a copy of the personal data, free of charge, in an electronic format if requested.
  • Right to be forgotten – In certain circumstances, data subjects have the right to request the data controller to delete their data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for when this right applies, as outlined in Article 17 of the GDPR, include the data no longer being relevant to the original purposes for processing or a data subject withdrawing their consent.
  • Right to data portability – The data subjects have the right to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

Organisations must also be aware of the new rules around breach notification – under the GDPR, where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, data controllers must report breaches to the relevant supervisory authority within 72 hours of become aware of them. Data processors are required to notify controllers “without undue delay” after first becoming aware of the breach.

GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you be able to demonstrate compliance (the accountability principle) with the data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals’ rights provisions, and building a workplace culture of data privacy and security.

What are the penalties for non-compliance?

The administrative fines are discretionary rather than mandatory; they will be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.

There are two tiers of administrative fines that can be levied:

  • Up to €10 million or 2% of the global annual turnover – whichever is higher.
  • Up to €20 million or 4% of the global annual turnover – whichever is higher.

The tier will be determined based on which article(s) of the Regulation have been breached. Infringement of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

The key steps to GDPR compliance

The ability to prove GDPR compliance is critical, and a comprehensive and effective privacy compliance framework will develop evidence to support your compliance claims.

In some cases, the below GDPR compliance steps will supplement existing measures that many organisations adopt to comply with national laws in the Gulf region, including the DIFC Data Protection Law 2007 and Abu Dhabi Global Market’s Data Protection Regulations.

For some practical guidelines on how to become compliant, please read our key steps to GDPR compliance. This checklist highlights the essential steps you need to take to demonstrate compliance and recommends solutions.