GDPR: A New Era of Data Regulation

What does it mean for businesses in the Middle East?

Last September we penned an article on the upcoming GDPR laws  (General Data and Protection Regulation) and the potential implications for the MENA region. At the time of writing, information was scarce and the impact for the region was unclear. 25th May is “G-Day” – so if you’re late to the party and need a cheat-sheet, we’re here to help.

To recap, theGDPR is a set of regulations being brought in by the European Union this month to tackle data and specifically consent. Described as the most comprehensive data privacy law in history, it comprises of 99 articles that define how companies must approach data collection and its management.

What is Consent?

In a nutshell, consent means offering users choice and control. With regards to data, the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

In layman’s terms, this means that individuals will have the power to demand that a company reveals or deletes the personal data they hold. In addition, it changes the rules of engagement from an marketers point of view, for example; sending out mass marketing emails to people who have not opted-in will be illegal.

What does GDPR mean for businesses in the UAE?

With the new laws coming into effect on the 25th of May, companies in the UAE are trying to determine what the business implications will be for them. In the past week we’ve seen a significant spike in the number of searches for information surrounding GDPR, as indicated below:     

Trends.png

Source: GoogleTrends

The EU has madeGDPR and its implications very clear; it applies to companies within the EU, as well as any companies that offer goods or services to, or monitor behavior of, people within the EU. Now, obviously this affects a great deal of companies operating out of the MENA region who have audiences, marketshare and even employees within the EU.

Getting it wrong is costly – beyond reputation damage, businesses may face substantial fines. Infringements of the basic principles for processing personal data, including conditions for consent, are subject to the highest tier of administrative fines. It could mean a fine of up to 20 million euros or 4% of your total worldwide annual turnover, whichever is higher.

GDPR

Image Credit: Mysolomon

However, what is not yet clear is how the EU will enforce these regulations, particularly in the region, as the Middle East is not bound by the European Court of Human Rights.

Data Laws and best practice in Dubai

Now, while how the EU regulations will be policed may not be completely clear, Dubai’s stance on the issue of data privacy, management and protection is unequivocal. In February 2018, Smart Dubai launched the Dubai Data Policies to regulate the classification, publication, sharing, storage, use and re-use of open data.

What’s the benefit of GDPR for companies?

Legalities aside, here at Bravo Romeo we believe that stricter regulations surrounding data are a welcome change. Following the Cambridge Analytica scandal, data privacy made headlines worldwide, resulting in people making an effort to become more aware of how their data is managed and be more discerning about giving consent for companies to use it. Realistically, almost every business today is data-driven and digital. The threat of cyber-security is real and it is imperative to both personal and commercial safety, as well as to business continuity, that data is managed securely. It’s not just about compliance, it’s about best practice and ensuring that we, as an industry, support GDPR as a catalyst for positive change in regards to cybersecurity, both globally and in the region.

Don’t get us wrong, it’s not all doom and gloom! Ultimately, the correct management of data means that companies are better placed to manage it as a strategic business asset. Data is arguably set to becomes the most valuable currency so by complying organizations will ensure they reap the benefits of it.

 

Featured Image Credit: Shutterstock. Image ID: 731051713

Data and Consent: 6 ways that the EU’s General Data Protection Regulation (GDPR) impacts MENA businesses.

If you haven’t heard about the GDPR you will soon; it’s a set of regulations being brought in by the European Union in May 2018 to tackle data and, specifically, consent.

In this post, we paint a picture of its implications for businesses; from a legal, content, reputation management as well as business development perspective in the MENA region and globally, with valuable input from Fiona Robertson – Al Tamimi and Company’s Senior Legal Associate for Technology, Media & Telecommunications.

Read on guys, this is an important heads-up that’s not being discussed in the industry here as much as it needs to be. And when we say important – we mean important to the tune of 20 million euros. At least. So, let’s start at the beginning…

What is Consent?

In a nutshell, consent means offering users choice and control. With regards to data, the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In the Middle East, as users we face real issues with consent – being relentlessly abused by marketers, who flog their wares flagrantly in the face of the law, using personal data they genuinely have no right to use. As marketers, we owe it to ourselves and the brands we represent to regulate how we use data and how we manage consent. Why? Because brand reputation matters.

Consent and Reputation Management

Placing legal ramifications aside – just for a moment because they’re the juicy bits – the benefits of getting consent right are significant both from a customer service and brand trust perspective.

By being compliant with global best practice, you are demonstrating to your customers that they are genuinely valued and respected. You’re elevating your brand above the competition. Getting it wrong means (at best) eroding brand trust, reputation damage and inhibiting the likelihood of customer engagement now and further down the line. So… what do you need to know?

data protection image
Image Credit: pixabay.com

In order to put together the following recommendations, we pored over the UK Information Commissioner’s Office Advice and joined forces with Fiona Robertson – the region’s leading light in Technology, Media and Telecommunications law. Please bear in mind, the legislation isn’t yet finalized – it’s released in May 2018 – however we hope it serves as a guide to help you prepare.

  1. The first thing that you need to know is that there’s a lot to know and attention to detail is critical. Read the ICO’s advice (linked above). There are specific new provisions on a range of areas, including requirements around children’s consent for online services and, as you can imagine, consent for scientific research. The regulation applies to the manner of collection of data, the way data is secured and processed and the way in which it is used.
  2. While the regulation applies to the European continent, when your audience is on the continent, you will be subject to the law. In addition, and really importantly, the regulation is drafted to apply to all EU citizens, no matter where they are resident. In reality, this means the law is to be treated as a global mandate, as finding out who and who isn’t an EU citizen is not at all a practical reality and would represent a feat of data management in and of itself.
  3. Furthermore, the laws will apply to any entity that is part of an EU corporate structure. From a practical perspective, MENA subsidiaries will be expected to comply, as their European offices could be held liable for their errors.
  4. When it comes to UX design and data capture, assume nothing and do your homework. The draft regulation indicates that it will require specific and granular action. A blanket check box will not cover you off, so be thorough. Put a team together to ensure organizational-level understanding if you’re an agency and (at least) departmental-level understanding within Marcomms & IT if you’re client-side and – in all cases – set internal protocols and working processes.
  5. Another important point Fiona urges us to remember is that EU “Data Controllers” (who are the office-holders responsible for data in a corporate entity) must carry out due diligence regarding their suppliers’ data management processes, where they will be collecting or managing data on their behalf. Failure to undertake this due diligence may also result in a fine to the EU entity, so expect them to be very diligent in their due diligence! UAE companies that do not pass this due diligence process can expect to be overlooked for EU contracts. So, there’s a new business aspect to this as well, agencies. The agreements that you will see coming in from the EU will now include this higher standard for data collection, management and use. These clauses will not be negotiable, being required by the new law. This means that a company could be held in breach of contract if it fails to comply with the data provisions and could well be expected to include an indemnity for failing to comply as directed.  Given the size of the fines involved, it will be important to take this contractual obligation seriously.
  6. If a complaint is made, then the EU will notify all people that it believes might have been subject to that breach. This could open your company up to wider findings of infringement and could well create a public relations crisis. This will also most certainly negatively affect your ability to secure future EU contracts.

As you can see, getting it wrong is costly – beyond reputation damage, businesses may face substantial fines. Infringements of the basic principles for processing personal data, including conditions for consent, are subject to the highest tier of administrative fines. It could mean a fine of up to 20 million euros or 4% of your total worldwide annual turnover, whichever is higher.

This is not just about obeying the law, it’s about best practice. In the near future, Fiona and I will be hosting a seminar on the GDPR and its implications. Drop us a message at hello@bravoromeobyaj.com and we’ll make sure you’re on our guestlist. Best of luck everyone!

 

Featured Image Credit: Pixabay.com