Personal data protection in the UAE companies


The General Data Protection Regulation (GDPR) was developed to protect the personal information of individuals.

Since May 25, 2018, individuals have the right to demand from the company to provide or remove personal data stored by it, and regulators can work together across the EU, applying their decisions on fines.

GDPR refers to all “personal data”, such as: names, addresses, e-mail, IP-addresses, etc. For most companies, the basic personal data bases relate to customers, employees and suppliers.

The new regulations replace all applicable data protection laws in each country of the European Union in order to strengthen and normalize data protection for individuals throughout the EU. It also discusses the export of personal data outside the EU.

GDPR refers to companies in the following cases:

1. if the company has a branch, subsidiary or representative office in the EU;
2. if the company offers goods or services for people in the EU;
3. if the company monitors the behavior of people on the Internet who are in the EU.

The GDPR legislation, which includes 99 articles, determines how companies should process the data they collect. Data breaches should be made public within 72 hours after the organization has discovered them.

Any organization that violates the rules can receive a fine of up to 4% of its global annual income, or up to 20 million euros.

Companies must have a plan to completely delete inactive user data from their system.

A company registered in the UAE, which is part of the competence of the GDPR, should analyze its decisions regarding:

– demonstrating their ability to manage and protect personal data;
– develop ways to report violations within 72 hours;
– identify who will take the lead in protecting data and confidentiality, whether it is the executive direction, the board, the chief information security officer.

Companies should try:

– establish transparent privacy policies and procedures;
– review and update all existing contracts, considering data processing;
– establish monitoring, reviewing and evaluating data-processing activities;
– conduct internal trainings to ensure that employees’ skills are consistent with the new data protection requirements;
– decide whether the hiring of a data protection officer is required.