It is a significant time in the data protection and privacy space. As of 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) becomes enforceable and replaces the existing EU Data Protection Directive. Whilst it is intended that the GDPR harmonizes data protection rules across the EU, it also has extra territorial effect, which means that many businesses in the UAE and the region will be impacted by GDPR and should look to become compliant to the extent they are not already.
The GDPR applies to any business - whether a start-up, SME, or multinational, operating in any industry – which offers goods or services to individuals in the EU (free of charge or paid for), or monitors the behaviour of individuals in the EU, must comply with the terms of the GDPR.
Many of you will have read our previous Legal Corner published in December which described in detail what GDPR compliance involves, and we also held a popular Knowledge Series event in April at which key questions arising out of the GDPR were considered.
By way of a brief reminder, the principle concept which is central to the GDPR is “personal data”. This is broadly defined and includes any information relating to a natural person (referred to as a “data subject”) including “identifiers” such as device IDs, IP addresses, cookies, and location data. However, personal data may also include a combination of information which makes an individual identifiable.
How is this relevant to non-EU businesses in the UAE?
If personal data of individuals in the EU is being “processed” (meaning collecting, using, disclosing and retaining personal data), by a non-EU business by way of offering goods or services, or through monitoring the behaviour of those individuals, the obligations under the GDPR will be triggered. Examples of monitoring may include online behavioral advertising, profiling and scoring for the purposes of risk assessment, and location tracking.
In addition, any non-EU business which carries out data processing activities on behalf of an EU business will also be subject to provisions of the GDPR and may be asked to enter into data processing agreements.
What are the key provisions of the GDPR?
- Non-EU businesses face restrictions on the transfer of personal data by non-EU businesses outside the European Economic Area unless appropriate safeguards are put in place, such as data transfer agreements.
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to individuals. This may include seeking consent from individuals, and communicating the purposes of and legal basis for the processing of data.
- Data subject rights have been enhanced under the GDPR, and now include the right to be forgotten, meaning that individuals can request that personal data is erased if they no longer want it to be processed. This is subject to certain qualifying conditions, such as the personal data being no longer necessary for the purposes for which it was collected. Also new under the GDPR is the right to data portability, which provides individuals with the ability to move their personal data from one environment to another, again subject to certain qualifying conditions.
- Data breaches must be reported to the data protection authority and (in certain circumstances) to the individuals whose personal data is affected. Such notification needs to take place within 72 hours of the data controller (namely, the entity who determines the purpose and means of processing personal data) becoming aware of the breach.
- Non-EU businesses processing data of individuals in the EU must appoint a representative in an EU member state as a point of contact for the relevant data protection authority. However, this requirement does not apply if the data processing is occasional, is not large scale, or where the company employs less than 250 employees.
- Internal records relating to processing activities must be maintained, including categories of personal data and the purpose of processing activities.
What are the penalties if my business is non-compliant?
There are very high penalties for serious breaches of the GDPR, but this will depend on which aspect of the GDPR has been breached. Fines of up to 20 million Euros or 4% of global annual turnover (whichever is the higher) may be imposed, and the supervisory authorities may also impose a range of sanctions. There is no grace period for compliance beyond 25 May 2018.
How can we help?
In partnership with a leading law firm, DMCC will be facilitating a “tech” legal clinic in the coming weeks at which member companies can seek legal advice on queries relating to GDPR, among other matters. Please look out for further details arriving in your inbox.