What is data privacy?
In this ever-evolving digital age, data privacy has become more and more important. The UAE data privacy regulatory landscape is also evolving with a pending data protection law and Resolution N. 281 underscoring the need for data privacy in the context of Covid-19.
Data privacy relates to personally identifiable information (PII) such as full name, date of birth, address, and bank account details. Data privacy also includes protection of personal health information (PHI), such as medical records.
The principles of data privacy comprise data subjects’ top concerns related to their PII:
- Consent management: Have I agreed to my data being collected?
- Transparency: Have I received an explanation about why my data is being collected?
- Purpose limitation: Is my data collected solely for the purpose that has been stated to me? Is more information than required being collected?
- Data subject access requests management: Will my requests to access, modify or delete my data be addressed in a timely manner?
- Third parties: Is my data being shared with third parties? How is it protected when shared?
- Privacy by design: Will my data privacy be consistently protected across the organization’s systems?
Why is data privacy important?
A recent and well-known example of policymakers’ attempts to address data privacy concerns is the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR aims to give EU citizens improved transparency and control over their personal data. Both EU- and non-EU based companies with a global presence are implementing measures to address GDPR requirements. Any international business that deals with European clients or handles data pertaining to EU citizens is subject to the GDPR. Compliance is not an isolated aspect of business that simply needs remodeling: it is a continuous effort to change business culture.
As the public is beginning to better understand how their data and online activity is collected, stored and sold, organizations are moving beyond legal requirements to address data privacy, as a matter of customer perception and trust. Most customers will more readily trust brands that give them control over how their data is used. This provides companies with an opportunity to gain trust and build loyalty. According to KPMG’s 2019 report, The truth about customer loyalty, 14% of consumers based in the United Arab Emirates (UAE) do not belong to loyalty programs because they do not want their data tracked.
Data breaches can also be costly to an organization in terms of both reputational and operational impact. With new data protection regulations coming into force around the world, legal and financial implications, as well as penalties following a breach, must also now be taken into consideration. Given data privacy is such a prevalent issue, many organizations are investing an increasing proportion of their annual budget to protect their data.
How are organizations in the UAE affected?
The UAE is entering the fifth-generation era in a bid to enable swift and coordinated responses to cyber incidents. Data protection laws already exist in economic hubs such as Dubai International Financial Centre (DIFC) (since 2007) and Abu Dhabi Global Market (since 2015). A new data protection law is currently being proposed for DIFC in 2020. To promote ethical data sharing, the proposed data protection law combines a variety of leading data protection laws, including the GDPR and the California Consumer Privacy Act.
In conjunction with ongoing legal efforts, the Dubai Chamber of Commerce and Industry hosted a workshop earlier this year that focused on the legal aspects of data privacy and protection in the emirates. Organizations in the UAE must be informed about the legal and practical aspects of data privacy and be prepared to adhere to data privacy best practices.
Furthermore, the UAE’s Telecommunication Regulatory Authority (TRA) has launched a 2020-2025 National Cybersecurity Strategy which includes crucial aspects of data privacy; a national-level data protection law may follow soon. Such law would include maintaining a register of data controllers and enforcing regulations upon them, while upholding the privacy rights of individuals.
It is important to note that all UAE industries processing international customer data are already impacted by the GDPR and other international privacy laws. If an organization in the UAE processes personal data and offers goods or services to individuals based in the EU, they are required to be compliant with the GDPR. Similarly, this applies to organizations in the UAE that have an establishment in the EU and are processing personal data in that establishment.
In the current context of Covid-19 and rapid setup of work-from-home solutions, the UAE Ministry of Human Resources & Emiratization adopted Resolution N. 281 of 2020 on 29 March 2020. This requires the UAE’s private sector to ensure a secure technological environment, by observing regulations related to maintaining data privacy and confidentiality, and limiting users’ ability to enter certain systems.
The UAE’s pending data protection law and Resolution N. 281 underscore the need for data privacy in the context of Covid-19. Organizations in the UAE may want to consider the following:
- Data privacy is not a one-off, ‘tick the box’ compliance activity, but may require a deliberate shift in an organization’s culture.
- Customers and their data should be at the heart of the organization’s privacy strategy.
- A strong privacy governance structure is an essential foundation for robust privacy management. Technology solutions alone are not enough to address privacy regulations.
- Data privacy processes, roles and culture need to be developed in time for the upcoming regulatory changes.
- The organization must be prepared to respond to breaches quickly and effectively to avoid reputational and financial damage.
- A strong data privacy program can be a competitive differentiator, inspiring customer loyalty and improving brand value.
KPMG’s Data Privacy Services
Data privacy is a complex matter that can be difficult to navigate. KPMG’s holistic Privacy Management Framework provides a practical and pragmatic structure for the day-to-day management and oversight required to manage Privacy.
Some major aspects that we will be covering in a series of data privacy posts include the following:
- Data classification is the practice of identifying the level of security and privacy protection to be applied on data types or data sets, and the scope in which it can be shared within and outside the organization
- Data privacy gap assessments are an exercise conducted to identify an organization’s level of compliance against a regulation or standard
- Data privacy management is the development of a management and governance system for the protection of data privacy. In some cases, software solutions are utilized to facilitate this process
- Consent management is the process that allows an organization to meet data protection regulations by obtaining user or customer consent for collecting their data
- Data subject access requests management is the process that allows customers to request access to their data, modify their data, or exercise their right to be forgotten
- Breach management is the process that must take place should an incident or breach occur either within the organization or externally by a third-party data processor.