GDPR compliance alert

UAE companies running out of time to comply with EU data protection regulations, says lawyer

A UAE-based lawyer today warned a large number of businesses operating in the UAE, that in order to do business in the EU, or monitor the behaviour of EU residents, they will have to comply with new data protection laws before May 25, 2018, or potentially face severe penalties.

Companies fitting this criteria and falling within the scope of EU General Data Protection Regulation 679/2016 (GDPR), which will supercede the current Data Protection Directive 95/46/EC, could face fines of €20 million or four per cent of annual worldwide turnover, if not fully compliant by the deadline.

According to Nathan Banks, managing partner of Banks Legal, a UAE law firm operating across the region since 2009, the GDPR, which has been under discussion for over the past four years, aims to set a new fit-for-the-digital-age standard for consumer rights regarding their data. The directive is set to strengthen the control individuals have over their personal data and improve the manner in which data is processed.

Banks said: “Enforcement of this will be wide-reaching and, from industry conversations we’ve had, it’s abundantly clear many companies that should be addressing this major regulatory change are not yet taking measures to comply – leaving themselves open to punitive action.

“Currently, UAE regulatory bodies such as Dubai International Financial Centre, Abu Dhabi Global Markets and Dubai Healthcare City Authority have their own data protection laws, which are closely aligned with the imminently-obsolete EU Data Protection Directive 95/46/EC.”

The UAE has used EU regulations as an important benchmark in the past and is likely to do so again in the future. UAE companies are being encouraged to align their business standards with EU data regulations, as best practice.

Banks explained UAE-based companies with EU business concerns and personal customer data will not be exempt from the new directives based upon location and need to prepare in order to avoid potentially serious consequences. Nathan Banks suggests the following steps for organisations to protect themselves:

• Establish revised, transparent and easily accessible privacy and data protection policies and procedures
• Create a framework for accountability by monitoring, reviewing and assessing data processing activities
• Consider adopting the Binding Corporate Rules to ensure a legitimate basis for international data transfers
• Review and update all existing contracts with data processors and customers to provide for more stringent data protection and consent clauses
• Evaluate insurance policies to ensure the company is adequately protected in the event of data breaches
• Conduct internal training sessions to ensure employee compliance with new data protection obligations
• Companies with particularly large databases should consider whether employment of a data protection officer is required

Banks Legal recently assisted a marketing technology client, with offices across 14 countries including the UAE and UK, in reviewing its existing policies and procedures for the new EU regulations. This client is now well positioned for any future regulation changes the UAE may introduce.

Banks concludes: “Never has it been more important for companies in the UAE to comply with their data protection obligations and educate themselves on the changing regulations regarding fair and legitimate collection and use of personal data.”