The Impact Of GDPR On Businesses In The Middle East

On 25 May 2018, the EU General Data Protection Regulation (GDPR) will replace all current data protection laws in every European Union country. The GDPR represents the most significant change to data protection law in more than two decades. However, as the reach of the GDPR will not be limited to Europe, this article highlights how international businesses will be affected by the new Regulation.

The GDPR will potentially impact companies in the Middle East – and anywhere else in the world – if they are offering products to individuals within the EU or monitoring the behaviour of EU-based individuals. International business partners are already starting to mandate compliance with GDPR standards through contractual terms and consumer expectations around privacy are higher than ever.

Why is the GDPR important?

The way we generate and handle data has changed beyond recognition in the last 20 years. The GDPR aims to strengthen the control that individuals have over their data and to improve transparency about how that data is processed. It also seeks to facilitate business by simplifying rules for companies in the digital single market.

The GDPR will replace the current EU Data Protection Directive, 95/46/EC, which every EU country has implemented at country level. As a regulation, it will automatically apply to every EU member state from the effective date.

The EU recognises a person's right to the protection of their personal data as a fundamental human right. Accordingly, the provisions of the GDPR place significant weight on ensuring fairness and enabling individuals to maintain control over their personal data. This translates into a high compliance standard for organisations that handle personal data and heavy sanctions for non-compliance. New rules under the GDPR include:

Appointment of representatives: If an organisation based outside Europe is processing personal data in relation to the offering of products to data subjects in the EU or monitoring the behaviour of EU-based data subjects (see 'How will the GDPR impact organisations outside Europe?' below), that organisation must designate a representative in the EU unless an exemption applies. Tougher sanctions: Businesses may be subject to fines of up to €20 million or 4% of annual global turnover, whichever is higher, for certain infringements. Data breach notifications: A data controller must notify the relevant supervisory authority of a personal data security breach within 72 hours of becoming aware of such breach, where feasible. They may also be required to inform the affected individuals where the incident could cause them serious harm. Accountability and privacy-by-design: Businesses will be required to demonstrate compliance with the rules and adopt a privacy-by-design approach. This includes carrying out a privacy impact assessment before carrying out any high risk data processing and adopting appropriate measures to address those risks. Data Protection Officers: Public authorities and private companies whose core activities involve large-scale processing of sensitive data must appoint a Data Protection Officer to monitor compliance with the rules. Their data processors may have to do likewise. Greater rights for individuals: Individuals will have enhanced rights in respect of their personal data, such as the right to be...