Data Protection in The UAE

Data protection in the UAE and the urgent need for compliance

The Covid-19 crisis has exacerbated the issue of data protection as companies continue to work remotely and tighten health and safety procedures in the office.

“It’s the processing issues that are compounded,” says Lori Baker, vice president, legal and director of data protection at Dubai International Financial Centre (DIFC). “Where are all those temperature readings that get logged? In handwritten notes or in their CRM system? Will they purge it eventually, who are they sharing it with, are there any controls in those exchanges, what happens if sharing that data results in damage to an individual? All of those processing issues are to me the biggest ones that need sorting.”

These concerns are in addition to the intensified risks of remote working, with employees often working without the same security protections that come with being in an office. This in itself is in addition to the fact that we are all walking, talking data points, with an estimated 2.5 quintillion bytes of data created every day. That’s more than 300 million data points for every human on the planet.

“Data is currency,” says Baker. “It’s being collected every time you click on an app (local or otherwise), make reservations at a restaurant or the movies, and now with Covid restrictions, every time you request a permit, get your temperature taken (which is sensitive personal data and requires extra controls). Every single element of personal data needs to be analysed from a controls perspective.”

Data protection has been a hot topic for years, with its significance only set to increase as new data protection regulations are rolled out and companies take the decision to allow more employees to work remotely. This is in addition to the continued digital transformation of businesses, which ensures data protection will remain a top priority.

It was for these reasons that the Advertising Business Group (ABG), which advocates responsible advertising standards across the GCC, held a wide-ranging discussion on the topic of data protection as part of its Speaker Series earlier this year. During the session Alexandra Neri, who leads the intellectual property and technology, media and telecom practice at Herbert Smith Freehills in Paris, discussed the impact of the EU’s General Data Protection Regulation (GDPR) on businesses in the UAE.

A groundbreaking piece of legislation, the GDPR revolutionised the way data is protected, placing an emphasis on the rights of the individual over their personal data and giving them far greater control over the collection, storage and processing of their personal data. To date it is the most significant piece of legislation to have been produced in the digital age.

One of the many repercussions of the GDPR has been its impact on national or free zone laws outside of the EU. Although the regulation is only applicable to UAE companies that trade in the EU, offer goods or services to people who live here, or monitor their behavior, DIFC launched an updated GDPR-inspired data protection law on 1 June. Combining the best practices of other data protection laws such as the California Consumer Privacy Act, the new Data Protection Law (DPL) 2020 puts in place some of the highest global standards of privacy protection in the world.

The DPL came into effect on 1 July but because of the disruption caused by Covid-19, companies have until 1 October to be compliant.

The repercussions for UAE-based companies are obvious. Even if the scope of the new regulations is restricted to DIFC-licensed entities, non-DIFC companies that have branches, affiliates or subsidiaries in the free zone, or who transfer data outside of the financial centre, will be affected. As such, if companies aren’t already GDPR-compliant because of trade with Europe, the likelihood is that they will soon have to be. What’s more, the DPL will tackle some of those areas where the GDPR proved impracticable, including its application for blockchain-based businesses and activities.

“It’s not a complete overhaul, it doesn’t radically change what’s already there,” says Baker. “But it does bring the law into modern times and addresses topical concepts like how to erase data when it is unerasable, for example. It’s important because it remains the most complete, in-depth, mature law in the Middle East and Central Asia, and we hope to help lead the UAE as it always has in being a forward thinking, agile country, especially as a destination for tech and IT businesses. And above all, it affords better protections to the fundamental rights of all individuals that deal with DIFC.”

So what should companies be doing to prepare for the DPL’s 1 October deadline, or to ensure they’re GDPR-compliant? To begin with, a thorough data impact assessment is essential. This will involve many internal stakeholders, including legal, finance, human resources, marketing and IT, but also external third party service providers such as cloud hosts, web developers, payment gateway providers and insurers.

“This journey is especially complex because it will impose technical changes on existing infrastructure that does not necessarily interoperate or support the new requirements to effect certain new rights introduced by the GDPR, such as the right to be forgotten,” said Adriaan Bloem, the head of digital infrastructure at MBC Group, during the ABG Speaker Series. “Another practical challenge companies may likely face is to align the various interests and perspectives of different teams on one common goal. It is crucial to keep in mind that compliance is not a one-off set of actions to tick a box. It is a mindset and a living policy to guide your organisation’s data practices.”

Bloem’s colleague, Sara Maroun, legal counsel for the MBC Group and the moderator of the ABG discussion, also stated that complying with data protection regulations required all company stakeholders (especially legal and tech teams) to work closely together to ensure successful compliance.

One of the most common misconceptions is the belief that regulations such as the GDPR or DPL only apply to the online environment. They don’t. They are technology neutral and apply to the processing of personal data no matter how it takes place, be it online, offline, via an app or through human resources.

“There’s a lot more that you need to prepare for than simply asking for permission to collect data from a website,” says Elda Choucair, chief executive of PHD MENA. “You have to think about all aspects of the business. All the information you have, how you collect it: security cameras, fingerprint access to buildings, HR systems that create a profile of every individual who works for your company. How are you maintaining privacy? Does the employee know that this information is kept in confidence? These are the sorts of things that you don’t necessarily think about when you think GDPR- compliant.”

What’s more, further regulations relating to data protection are imminent. Members of the UAE’s Federal National Council recently passed a new draft consumer protection law that, once ratified, will include the protection of consumers’ privacy and the security of their data. The latter will particularly relate to the use of personal data for promotional or marketing activities.

“We need to take the initiative rather than wait for regulation to come into effect and then act,” says Choucair. “Think about what you should be doing now and start working on it.”