In the past few weeks, your inbox is likely to have filled up with emails from companies requesting your permission to remain on their mailing list.
It’s not so much of a spring clean on their part but, rather, the result of tough new legislation from the European Union (EU), which is set to impact businesses all around the world.
The General Data Protection Regulation (GDPR) will come into effect on 25 May after four years of deliberation. And while it stems from the EU, it will affect every company that trades with the bloc or has EU residents as customers. Those who fail to comply with the new regulations, designed to protect user data, will face heavy fines.
"The GDPR is a further step to ensuring individuals' rights to control what happens to their personal data in an increasingly digital and online world and aims to enable better business practices through ethical, responsible personal data management," Jacques Visser, chief legal officer and commissioner of data protection at the Dubai International Financial Centre (DIFC) Authority, tells The National.
And in April, The National reported that Abu Dhabi Global Market (ADGM), the international financial centre in Abu Dhabi, had been granted membership of the Global Privacy Enforcement Network (GPEN).
The GPEN membership will be headed by ADGM’s Registration Authority (RA), the data protection regulator of ADGM. Established in 2010, GPEN is an international network of data protection authorities, comprised of over 60 members from around 50 different countries and regions with the purpose of facilitating cross border enforcement of privacy protection laws and strengthening personal privacy and data protection in a global context.
The GDPR's legislation, comprising 99 articles, sets out how companies must handle the data they collect. Data breaches must be disclosed within 72 hours after an organisation discovers it, the use of sensitive data such as a person’s ethnicity or political views cannot be used by organisations when making certain decisions, for example, a bank cannot draw on sensitive data when deciding to approve a loan. Sending out mass marketing emails to people that have not opted in will also be illegal.
GDPR will force organisations to change the way they treat customer data and by extension, the data subjects they target for their business. For many companies that have operations in the EU or work with the EU, this means they will need to fundamentally change the way they handle customer data.
In the Middle East, the UAE stands out as one of the EU’s largest trading partners, with trade exceeding Dh234 billion in 2017, while trade between the EU and GCC has grown by 54 per cent over the past 10 years, according to the European Commission. The businesses in the region that trade with the EU will now have to take GDPR into consideration. Companies that fall foul of the regulations may face fines of up to €20 million (Dh86.1m) or 4 per cent of annual worldwide turnover, whichever is greater.
“It has been drafted with a very broad extra-territorial reach and is relevant to the registered businesses in the Dubai International Financial Centre who are taking competent legal advice based on several factors including whether they have a global presence [particularly with ties to an EU country], and to whom it markets and monitors for business outside of the DIFC,” says Mr Visser.
But some firms in the region and wider world seem to be adopting a wait and see approach.
“We have been educating our clients, but only 10 per cent have taken the necessary steps in the right direction,” says Jude Pereira, managing director of Nanjgel Solutions. The company specialises in providing information security solutions and has operations in Dubai and Abu Dhabi as well as India, Belgium and the UK.
“The culture of data protection, the fundamental principles of privacy, are not necessarily in the DNA of every organisation and this is probably why businesses worldwide have been generally disoriented by the profound changes involved in the GDPR compliance,” she says. Several EU member states are expected to face delays in terms of GDPR readiness and this will probably be the case for many countries outside of the union.
But there are substantial benefits to organisations that comply. It will likely reduce the number of data breaches and thus prevent the financial and reputational damage that they usually incur.
“There will be a positive enhancement in the personal data security area, which many organisations have neglected in the past with the obvious consequence of causing the extremely costly cyber security attacks the world is experiencing daily,” says Giampiero Nanni, head of government affairs, Europe Middle East Africa at the US based software company Symantec Corporation.
GDPR will also reduce the vast level of illegal traffic of personal data which, according to Mr Nannni, has reached “industrial dimensions”.
Companies in the UAE may have to hire dedicated data protection officers or controllers whose main role will be to ensure that their organisation is adhering to GDPR. Record keeping is going to become even more crucial, where any data held must have an audit trail that is time- stamped and comes with detailed information reports.
The DIFC’s own Data Protection Law is pretty stringent and tracks existing EU laws, so companies operating in the free zone may well already be GDPR-compliant.
“Most DIFC businesses, if compliant with the DIFC law, will likely aim to employ a similar but expanded compliance approach to comply with the GDPR as they deem necessary,” says Mr Visser.
“The centre has updated its own online data protection policy to align with the strengthened accountability principles set out in the GDPR and is planning to align its current data protection legislative framework with that of GDPR within the foreseeable future.”
But outside of the DIFC, the legislation differs. While citizens in the UAE have a basic right to privacy under the constitution, there is no general data protection law in the country, nor a national regulator for data.
As of now, companies in the UAE are not legally obliged to publically announce data breaches. Providing full visibility, as is required by GDPR, will be a break from current practice.
But even if an organisation in the region fails to comply with GDPR, it is unclear how the EU can enforce its decisions because the Middle East as a whole is not bound by the European Court of Human Rights.
“Even if fines will be imposed, we don’t know what will happen if you don’t pay,” says Rashmi Knowles, field chief technology officer for Europe, the Middle East and Africa at the US computer and network security company RSA Security. But, she points out: “The law says if you don’t pay a fine, then the EU can take away your right to process EU citizen data.”
It might take several more years for the world to become accustomed to GDPR and for the EU to work out how to properly enforce it globally, but the bloc has taken a vital step towards protecting user data and giving back some control to customers.
“We live in a global economy with lots of integrated businesses that operate across the globe,” says David Haynes a research fellow at the UK’s Royal Academy of Engineering and a data governance expert. “Is it fundamentally reasonable for these businesses to operate under all the different legislations?”
GDPR is intended to level the playing field, says Mr Haynes, and somehow manage the billions of bytes of data produced every day.
Only time will tell if the EU's lofty ambitions become a worldwide reality.