Years into the establishment of the General Data Protection Regulation, refresh your knowledge on data privacy, security and compliance
The Right to Privacy dates back to 1950, as part of the European Convention on Human Rights. With the advancements in technology, particularly the internet, the General Data Protection Regulation (GDPR) came to be in 2016, and all organisations from multiple sectors had to comply.
Portraying a stricter stance on data security and privacy, the GDPR was re-established in 2018. This time, personal data did not end with contact details and biometric information. Any piece of information that points to an individual comes under the umbrella of personal data, including religious beliefs, political opinions, web cookies and pseudonymous data are considered to be personal. If a company collects, processes, structures, stores or even erases the subject’s data, there will be consequences. The GDPR set heavy fines up to $24 million, and affected parties can also receive compensation.
Being a massive draft that only lightly touches on specifics, understanding the details and compliance can be challenging. Here is a breakdown of the important CDPR rules.
Consent, consent, consent
Consent is a sensitive issue, and GDPR explicitly demonstrates the rules around consent. The law states that it must be freely given as a written statement in clear and plain language. Documenting evidence of the same is necessary, and data subjects have the right to withdraw their consent anytime without questions.
The Seven Principles (Article 5.1-2)
- Brands must process data with complete transparency, be fair and lawful to the data subjects who are their customers.
- There should be limited processing of data. Data insights must be procured only from legitimate and customer permitted purposes
- Companies must process only minimal data that is necessary for any legitimate purpose.
- The personal data from data subjects must be accurate and constantly updated.
- Data can be stored only as long as the analysis is in process.
- Confidentiality and the integrity of customer data must be appropriately secured. For instance, encryption can be used.
- Organisations will have to take responsibility for data security. They are accountable for any failure to comply with the GDPR principles.
By Design, By Default (Article 25)
Organisations must adopt a ‘by design, by default’ approach when deciding on a strategy to launch a new activity or design a new product. The data protection principles must be considered during every new business strategy. For instance, if a new product or service requires personal data, the company must decide on data minimisation strategies. They can also leverage technology to help secure data.
Under what circumstances is data processing legal? (Article 6)
- The data subject gives direct consent to process data. For example, if customers choose to share their personal details or give permission through checking the boxes for email lists.
- Organisations are allowed to process data if the data subject has to enter into a contract with the company.
- If the company is under any legal obligations that include the data subject, they can process the data.
- For life emergency purposes, there are no questions asked.
- In case of an official function or a public interest obligation, the processing is necessary.
- Even Data Processors are Data Subjects
As an Internet user, even data controllers and data processors are considered data subjects. The GDPR recognises this parameter and drafted a set of rights for such data subjects. Their rights include the right to be informed, rectify, access, erase, restrict, and object. Organisations need to understand their rights and are obliged to give them a little more control over the data.
GDPR is not EU Exclusive
In recent times, with cloud migration and cloud solutions becoming the norm, the law levies severe fines and penalties against violators. Companies operating outside this region are not exempted. Although the European Union passed the law, organisations worldwide are obligated to adhere to it as long as they collect data or target people in the EU.
GDPR in the Middle East
Companies in the Middle East who rely on data from European residents are required to follow the GDPR law. The GDPR applies to various industries, including hospitals, automobile, offshore development centres, and tourism.
For compliance, Middle East business leaders re-strategised their business approach with a software and hardware upgrade. New human resource appointments were also appointed. Companies had adjusted their business strategies to overcome technical challenges, including data portability, data control and notifications.
Moreover, the EU’s privacy act had set off a streak of privacy laws and movements that aimed to secure every individual’s privacy. Several countries in the Middle East had already enforced privacy laws well before CDPR, but this movement motivated them to strengthen their laws.
United Arab Emirates
Apart from an Electronic Transactions and Commerce Law and a Cyber Crime Law, the Abu Dhabi Global Market (ADGM) had established a data protection regulation in 2015. In 2017, an Office of Data Protection was added to ensure the implementation of the regulations. After the GDPR was announced, several amendments were added to provide clarity in sections to match international standards. Another law revised in 2018 was the Dubai International Financial Centre’s Data Protection Law. This DIFC Law No. 5 OF 2020 strengthened the transparency and governance requirements.
Kuwait and Oman
While the two countries do not have independent privacy laws established, they have several others covering data security and electronic transfer. Protecting electronic records, signatures and administrative and commercial transactions is the Kuwait Law No. 20 of 2014. In Oman, there is an Electronic Transactions Law that aims for a safe digital environment and the protection of data integrity.
Saudi Arabia’s constitution states that labour, capital, and property are the primary constituents of the economy, and individual privacy is broadly protected. The Kingdom might not have special personal data protection acts, but they constitute enough rights for compliance.
With a vision to become a hub for data centres, the Personal Data Protection Law (PDPL) No. 30 was enforced in 2019. The sections that include protecting data subjects’ privacy and consent requirements for data processing are very similar to the GDPR. One of their more interesting additions that the GDPR excludes is that the law is applicable to people residing and working in Bahrain and covers individuals who do not reside or work in the country but need personal data processing by using resources available in Bahrain.
It was the first GCC country to enforce a law for data protection after the initial establishment of the GDPR. Implemented in 2016, the Data Protection Law (DPL) protected the right of individuals to secure their personal data. The law dictates the principle of transparency and fairness in terms of data processing. Fines as heavy as $1.35 million could be levied.
The establishment of GDPR and its similar counterpart, the California Consumer Consumer Privacy Act, served as a catalyst for several countries to establish individual laws that elaborate on stricter compliance and privacy of data. Experts claim that today, the GDPR and local laws allow companies to report breaches without much hesitation and thought.