The law comes into effect on Friday, May 25th, and applies to any foreign-based company that offers goods and services to subjects in the EU or processes their data
The European Union’s General Data Protection Regulation (GDPR) that comes into effect on May 25 also-applies to any Gulf-based company that offers goods or services to subjects in the EU or monitors their behaviour, according to local experts.
While the law is primarily designed to ensure data and protection and privacy for people living in the EU and the European Economic Area (EAA), it also addresses the export of personal data to companies and jurisdictions abroad.
“[The regulation] represents one of the biggest shakeups on how personal data should be handled,” said Mansoor Sarwar, director of technical services at Sage. “It does not just affect firms within the bloc, but also any Middle East-based company that handles personal data of European residents and citizens.”
“You will be expected to comply, even if you do not have a direct presence in Europe,” he added.
According to the Dubai-based Al Tamimi law firm, the GDPR’s provisions will also apply indirectly to non-EU businesses that have agreements under which they carry out data processing activities on behalf of an EU business.
Additionally, the GDPR restricts the transfer of data to countries outside the EEA, unless certain conditions are met, in an effort to prevent the regulations from being undermined.
Speaking to Arabian Business, Nick O’ Connell, an attorney with Al Tamimi, said that in many cases there will be “contractual enforcement” – rather than regulatory enforcement – governing the actions of Gulf-based companies that process EU data.
“If you are a data centre or processor sitting in the UAE, but servicing clients in Germany, for that German client to have engaged you they would have gotten you to sign up to make sure you’re compliant with the law,” he said. “The German company then would have the basis to sue you [if the UAE-based company is not compliant with the law].”
O’Connell added that some Gulf-based companies that fall under the GDPR’s purview may have yet to ensure they are fully compliant with the rules. He said this is particularly true of SMEs, who may been slower to adjust than larger, high-profile international corporations.
“Companies that are not run in such a global fashion, but who are still global in their footprint, have probably for a long time been oblivious or taken the view that it is an EU law that doesn’t apply to them,” he noted.
While the GDPR has outlined significant fines for non-compliance and a range of corrective measures of sanctions for companies found to be non-compliant – which include a temporary or permanent ban on data processing, the restriction or erasure of data and the suspension of data transfers – O’Connell said that Gulf-based companies without a high-profile are unlikely to catch the attention of regulators, at least in the short-term.
“High profile companies in the Gulf that are non-compliant [have] a greater risk of becoming the target of regulators sooner than later, but low-profile businesses with a European connection that don’t have their house in order by the 25th are unlikely to result in negative attention on the 26th,” he said. “But [they should comply] even if it’s a matter of better late than never, rather than thinking they shouldn’t bother.”