Data Protection and Business Continuity
Why Data Protection is important?
In the era of globalization and digitalization, a lot of data have become readily available and transferred across borders. Many businesses, including banks and financial services companies, are collecting, processing and transferring individual data. Hence it has become significantly important that individuals’ right to privacy is protected.
Such data includes personal data, i.e. data relating to an individual’s identity and sensitive personal data including ethnicity, religion, philosophical or political beliefs, etc. As such data protection is directed at specific types of personal information that can relate to identifiable individuals, and the need to have set obligations requiring that personal data be processed fairly, lawfully, securely and for a specified and legitimate purpose.
While these data are important in terms of providing services to corporations, firms, individuals, mismanagement via direct or indirect handling or processing (whether knowingly or unknowingly) of personal data could have significant impact including identity theft for individuals, card related fraud, penalties and reputational loss for the businesses, etc.
In order to ensure adequate data protection, developing and implementing privacy policies across businesses is now a norm within any regulatory framework.
Regulatory environment
In May 2018, the European Union’s General Data Protection Regulation (GDPR) came into force. The GDPR is a law on data protection and privacy across the EU which aims to provide individuals with greater control and transparency over how their personal data is used.
In UAE, there have been numerous legislations that addresses the protection of personal data. Although the mainland UAE does not have a specific law dealing with data protection, the concept of data protection has been covered in various laws effective at Federal and Emirate level[1]. In certain circumstances, the consent of the individual(s) concerned may be required.
Whereas the Financial Free Zones such as Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market Square (ADGM) have been proactive and adopted specific data protection regulations[2] since 2007 and 2015 respectively to include mandating appointment of a Data Protection Officer/Data Controller.
Due to the current situation of Covid-19 which led to employees working from home, the UAE Ministry of Human Resources & Emiratisation adopted the “Ministerial Decision No. (281) Of 2020”[3]. Under this decision, all businesses under private sector are required to ensure the provision of a safe technological environment to perform work remotely and observe data privacy and confidentiality controls are in place.
In such unprecedented circumstances, the need for business continuity is essential along with access to data in order to ensure the business operations continues. The businesses must consider digitizing the data storage and retention via cloud service provider.
How can we help?
Rethink offers tailored regulatory expertise across a wide range of compliance and regulatory services.
Data Protection
Our approach places significant importance on ensuring that our clients fully understand their obligations on data protection and privacy as part and parcel to establishing effective corporate governance.
We are able to help your business:
- Understand the type of data collection and processing and identify what constitutes Personal Data and Sensitive Personal Data;
- Evaluate and ensure that the data is processed in a fair, lawful and secure manner;
- Draft tailored policies and procedures aligned with the businesses’ data protection obligations;
- Ensure compliance with any regulatory or legal obligation in relation to data protection;
- Evaluate and implement adequate systems and controls to process data and for data transfers;
- Implement appropriate technical and organizational measures to protect Personal Data against accidental loss or damage or destruction of such data;
- Ensure relevant permissions have been granted by governing bodies to process personal and sensitive personal data;
- Act as outsourced function for Data Protection Officer.
Business Continuity Planning
BCP defines and outlines the ability of a corporate organization to continue operating in the scenario of a natural disaster/calamity, war, cyber-attack and pandemic (example, the Coronavirus pandemic).
Rethink as an outsourced Partner using the best practices, can assist in the set-up of a BCP plan for your organization. We are certain that the crisis will affect most businesses within the UAE and we are convinced that firms need to consider some immediate actions to make it through the next few weeks and months, which we will be able to assist you with as below:
- Cash flow forecasting and payment prioritization
- Employee structuring and salary strategy management
- HR & Communication support
- Strategic business opportunities
Authors
Gail Goring
Partner & Head – Regulatory & Compliance Services
Nisha Shah
Senior Manager – Regulatory & Compliance Services
[1] Federal Law No. 5 of 2012 on Combatting Cybercrimes and its amendment by the Federal Law No. 12 of 2016; Federal Law No. 1 of 2006 on Electronic Commerce and Transactions Article 378 of the UAE Penal Code Article 31 of the UAE’s Constitution Dubai Data law [2] Data Protection Law – DIFC Law No. 1 of 2007 [to be replaced by Data Protection Law – DIFC Law No. 5 of 2020 (effective from 1 July 2020)] and Data Protection Regulations ADGM’s Data Protection Regulations 2015 as amended [3] Ministerial Decision No. (281) Of 2020 Concerning The Regulation Of Remote Working In Private Sector Establishments During The Application Period Of Precautionary Measures To Reduce The Spread Of The Novel Coronavirus