Data and Consent: 6 ways that the EU’s General Data Protection Regulation (GDPR) impacts MENA businesses.

If you haven’t heard about the GDPR you will soon; it’s a set of regulations being brought in by the European Union in May 2018 to tackle data and, specifically, consent.

In this post, we paint a picture of its implications for businesses; from a legal, content, reputation management as well as business development perspective in the MENA region and globally, with valuable input from Fiona Robertson – Al Tamimi and Company’s Senior Legal Associate for Technology, Media & Telecommunications.

Read on guys, this is an important heads-up that’s not being discussed in the industry here as much as it needs to be. And when we say important – we mean important to the tune of 20 million euros. At least. So, let’s start at the beginning…

What is Consent?

In a nutshell, consent means offering users choice and control. With regards to data, the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In the Middle East, as users we face real issues with consent – being relentlessly abused by marketers, who flog their wares flagrantly in the face of the law, using personal data they genuinely have no right to use. As marketers, we owe it to ourselves and the brands we represent to regulate how we use data and how we manage consent. Why? Because brand reputation matters.

Consent and Reputation Management

Placing legal ramifications aside – just for a moment because they’re the juicy bits – the benefits of getting consent right are significant both from a customer service and brand trust perspective.

By being compliant with global best practice, you are demonstrating to your customers that they are genuinely valued and respected. You’re elevating your brand above the competition. Getting it wrong means (at best) eroding brand trust, reputation damage and inhibiting the likelihood of customer engagement now and further down the line. So… what do you need to know?

data protection image
Image Credit: pixabay.com

In order to put together the following recommendations, we pored over the UK Information Commissioner’s Office Advice and joined forces with Fiona Robertson – the region’s leading light in Technology, Media and Telecommunications law. Please bear in mind, the legislation isn’t yet finalized – it’s released in May 2018 – however we hope it serves as a guide to help you prepare.

  1. The first thing that you need to know is that there’s a lot to know and attention to detail is critical. Read the ICO’s advice (linked above). There are specific new provisions on a range of areas, including requirements around children’s consent for online services and, as you can imagine, consent for scientific research. The regulation applies to the manner of collection of data, the way data is secured and processed and the way in which it is used.
  2. While the regulation applies to the European continent, when your audience is on the continent, you will be subject to the law. In addition, and really importantly, the regulation is drafted to apply to all EU citizens, no matter where they are resident. In reality, this means the law is to be treated as a global mandate, as finding out who and who isn’t an EU citizen is not at all a practical reality and would represent a feat of data management in and of itself.
  3. Furthermore, the laws will apply to any entity that is part of an EU corporate structure. From a practical perspective, MENA subsidiaries will be expected to comply, as their European offices could be held liable for their errors.
  4. When it comes to UX design and data capture, assume nothing and do your homework. The draft regulation indicates that it will require specific and granular action. A blanket check box will not cover you off, so be thorough. Put a team together to ensure organizational-level understanding if you’re an agency and (at least) departmental-level understanding within Marcomms & IT if you’re client-side and – in all cases – set internal protocols and working processes.
  5. Another important point Fiona urges us to remember is that EU “Data Controllers” (who are the office-holders responsible for data in a corporate entity) must carry out due diligence regarding their suppliers’ data management processes, where they will be collecting or managing data on their behalf. Failure to undertake this due diligence may also result in a fine to the EU entity, so expect them to be very diligent in their due diligence! UAE companies that do not pass this due diligence process can expect to be overlooked for EU contracts. So, there’s a new business aspect to this as well, agencies. The agreements that you will see coming in from the EU will now include this higher standard for data collection, management and use. These clauses will not be negotiable, being required by the new law. This means that a company could be held in breach of contract if it fails to comply with the data provisions and could well be expected to include an indemnity for failing to comply as directed.  Given the size of the fines involved, it will be important to take this contractual obligation seriously.
  6. If a complaint is made, then the EU will notify all people that it believes might have been subject to that breach. This could open your company up to wider findings of infringement and could well create a public relations crisis. This will also most certainly negatively affect your ability to secure future EU contracts.

As you can see, getting it wrong is costly – beyond reputation damage, businesses may face substantial fines. Infringements of the basic principles for processing personal data, including conditions for consent, are subject to the highest tier of administrative fines. It could mean a fine of up to 20 million euros or 4% of your total worldwide annual turnover, whichever is higher.

This is not just about obeying the law, it’s about best practice. In the near future, Fiona and I will be hosting a seminar on the GDPR and its implications. Drop us a message at hello@bravoromeobyaj.com and we’ll make sure you’re on our guestlist. Best of luck everyone!

 

Featured Image Credit: Pixabay.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s