In this ever-evolving digital age, data privacy has become more and more important. The UAE data privacy regulatory landscape is also evolving with a pending data protection law and Resolution N. 281 underscoring the need for data privacy in the context of Covid-19.
Data privacy relates to personally identifiable information (PII) such as full name, date of birth, address, and bank account details. Data privacy also includes protection of personal health information (PHI), such as medical records.
The principles of data privacy comprise data subjects’ top concerns related to their PII:
A recent and well-known example of policymakers’ attempts to address data privacy concerns is the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR aims to give EU citizens improved transparency and control over their personal data. Both EU- and non-EU based companies with a global presence are implementing measures to address GDPR requirements. Any international business that deals with European clients or handles data pertaining to EU citizens is subject to the GDPR. Compliance is not an isolated aspect of business that simply needs remodeling: it is a continuous effort to change business culture.
As the public is beginning to better understand how their data and online activity is collected, stored and sold, organizations are moving beyond legal requirements to address data privacy, as a matter of customer perception and trust. Most customers will more readily trust brands that give them control over how their data is used. This provides companies with an opportunity to gain trust and build loyalty. According to KPMG’s 2019 report, The truth about customer loyalty, 14% of consumers based in the United Arab Emirates (UAE) do not belong to loyalty programs because they do not want their data tracked.
Data breaches can also be costly to an organization in terms of both reputational and operational impact. With new data protection regulations coming into force around the world, legal and financial implications, as well as penalties following a breach, must also now be taken into consideration. Given data privacy is such a prevalent issue, many organizations are investing an increasing proportion of their annual budget to protect their data.
The UAE is entering the fifth-generation era in a bid to enable swift and coordinated responses to cyber incidents. Data protection laws already exist in economic hubs such as Dubai International Financial Centre (DIFC) (since 2007) and Abu Dhabi Global Market (since 2015). A new data protection law is currently being proposed for DIFC in 2020. To promote ethical data sharing, the proposed data protection law combines a variety of leading data protection laws, including the GDPR and the California Consumer Privacy Act.
In conjunction with ongoing legal efforts, the Dubai Chamber of Commerce and Industry hosted a workshop earlier this year that focused on the legal aspects of data privacy and protection in the emirates. Organizations in the UAE must be informed about the legal and practical aspects of data privacy and be prepared to adhere to data privacy best practices.
Furthermore, the UAE’s Telecommunication Regulatory Authority (TRA) has launched a 2020-2025 National Cybersecurity Strategy which includes crucial aspects of data privacy; a national-level data protection law may follow soon. Such law would include maintaining a register of data controllers and enforcing regulations upon them, while upholding the privacy rights of individuals.
It is important to note that all UAE industries processing international customer data are already impacted by the GDPR and other international privacy laws. If an organization in the UAE processes personal data and offers goods or services to individuals based in the EU, they are required to be compliant with the GDPR. Similarly, this applies to organizations in the UAE that have an establishment in the EU and are processing personal data in that establishment.
In the current context of Covid-19 and rapid setup of work-from-home solutions, the UAE Ministry of Human Resources & Emiratization adopted Resolution N. 281 of 2020 on 29 March 2020. This requires the UAE’s private sector to ensure a secure technological environment, by observing regulations related to maintaining data privacy and confidentiality, and limiting users’ ability to enter certain systems.
The UAE’s pending data protection law and Resolution N. 281 underscore the need for data privacy in the context of Covid-19. Organizations in the UAE may want to consider the following:
Data privacy is a complex matter that can be difficult to navigate. KPMG’s holistic Privacy Management Framework provides a practical and pragmatic structure for the day-to-day management and oversight required to manage Privacy.
Some major aspects that we will be covering in a series of data privacy posts include the following: