Preparing for the UAE’s new federal data protection law - Part 2
Mita Srinivasan
10X Technology

Preparing for the UAE’s new federal data protection law - Part 2

The UAE’s first-ever, federal, data protection law, which comes into effect on 28 May 2022 and promises to fundamentally change the marketing game for companies in the UAE and anyone marketing to UAE-based consumers. In this second article, Martin Kubler, Chief Sloth at The Gluttonous Sloth – a business consultancy, shares why it’s important and what companies need to do to prepare.

The UAE’s first-ever, federal, data protection law, which comes into effect on 28 May 2022 promises to fundamentally change the (marketing) game for companies in the UAE and anyone marketing to UAE-based consumers.

In the first part, Martin explained what the law was and what it states, the potential pitfalls. The law largely mirrors the EU’s General Data Protection Regulation (GDPR) legislation and follows the introduction of similar laws in KSA and Oman

The new law requires you to follow the principles of “data protection by design and default”, which means that data protection is now something that you have to consider, whenever you do anything with other people’s personal data. It is something that you and your employees must always be aware of.

So what do you do

The law requires every “data controller” in the UAE to clearly explain to data subjects what data they collect, why they collect it, and how it is stored, and will only be able to use personal data for marketing purposes with the consent of data subjects. What’s a “data controller”? In a nutshell: If a business collects and stores data like customers’ email addresses, phone numbers, etc. it’s a data controller. Companies that collect and manage “high risk” data, may also need to appoint a designated data protection officer, who ensures compliance with the law internally and acts as the main contact point for data subjects and the government’s data office. There are a number of things businesses in the UAE should focus on in the run up to the May compliance deadline:

  • Data audits: Oftentimes, businesses have no idea how much data they’re actually processing and storing on a daily basis, so a data audit is a good starting point. Look at all “data touchpoints”, i.e. your website, email lists, any apps or other online platforms you are using, your CRM (if you have one), etc. – in short, try and identify all data sources, but also list down who (in your organization or otherwise) has access to what data.

  • Spring clean: The introduction of the new law is a great opportunity to “Spring clean” your data collection activities and the data you have already amassed. Do you really need all the data you are collecting? Also, do you have a legal justification to collect such data? For example: A supermarket may reasonably collect data on shopping habits of its customers, but probably not request information on, say, the car insurance choice of its customers.

  • Compliance checks: Once all the data sources have been identified, it is time to check that they comply with the new law. For example: If you are using an email marketing platform, the software must be compliant with the law. Most providers already are (hint: if a provider complies with GDPR, it will essentially also comply with the new UAE law), but it’s worth checking. The same goes for all marketing partnerships, e.g. if you are partnering with other companies or if you are outsourcing your marketing. The duty to ensure compliance lies with the main data controller – so blaming 3rd-parties for compliance failures won’t fly.

  • Policies: You must provide clear information about your data collection, processing, and storage activities in your privacy policy, which should be available both online as well as offline (if applicable). If you haven’t got a privacy policy yet, now is the time to create one, and also an internal security policy for your staff, which lays out how data can be collected, processed, and stored.

    If you’re working with 3rd-parties which collect and process data on your behalf (e.g. payment gateways, booking platforms, etc.) you should sign a data processing agreement with them.

  • Training and workflows: It’s vital that all your team-members know about the details of the new law and its impact, so training is a good idea. Also, you should designate someone responsible for compliance across your business.

    You may also need to look into workflows, e.g. how can a customer request a copy of his/her data you hold on them? How can they request for such data to be amended or deleted?

  • Controls: Compliance is an ongoing effort, so implementing effective control mechanisms is a good idea.

This article is not in any way legal advice. There are dozens of provisions in the new law that apply only in rare instances, which would be counterproductive to cover here. You should check with a lawyer to make sure your organization fully complies with the new law.

About the Author:

Martin Kubler, FIH, is the Chief Sloth at The Gluttonous Sloth – a business consultancy with attitude. Martin spent 16 years in the Middle East and now splits his time between his new home in Stockholm, Sweden, and his old haunts in the GCC. Martin specializes in all things marketing and digital and mostly works with small and medium-sized, or family-owned or operated companies.