If you’ve not heard about the new General Data Protection Regulation (GDPR), where have you been? Putting the power of who has access to your data, back into your hands, the introduction of new rules from the European Union on May 25th is shaking up the world as we know it, not just in the EU but here in the UAE.
While handing over data means we benefit from everything from free apps to personalized shopping experiences, high profile breaches mean that our data is increasingly under threat. The recent data breach of the local ride-hailing app Careem where personal details of up to 14 million customers across the Middle East region is testament to that phenomenon.
In addition, in the first four months of 2018, the Telecommunications Regulatory Authority (TRA) recorded 155 cyber attacks on the UAE. While the cases of cyber-attacks have declined year on year, the fact remains that hackers are becoming more sophisticated in their approaches, always finding new ways to undermine data security.
As such, this new legislation is seeking to protect the consumer more. In particular, legal systems are now taking steps to ensure that companies are held responsible should they not be seen to making strides to protect our data.
While it is true that the Middle East will not be governed by GDPR directly, the regulation will have widespread implications on local organizations that collect and maintain personal data on customers either from the EU or who travel to the EU. For a highly transient and expat-friendly country like the UAE, organizations must be aware of the implications of GDPR as any breach of the new rules can result in serious fines.
It also means consumers in the UAE are more empowered than ever before. Still, there is a lack of knowledge about GDPR as it has only recently come into effect. If you’re one of the many unaware of GDPR, here are ways it’s giving you back control over your data:
Increased transparency and active consent: With the new legislation, you have a right to transparency over how your data is used. Before businesses could have used your data, you will need to give ‘informed’ consent, which could include ticking a check box manually in a form. Of course, it’s still important for you to carefully read the terms and conditions you’re agreeing to – it’s always tempting to click without properly reviewing but doing so means you don’t know what you’re signing up to.
The right to be informed: You will have a right to be informed about how businesses are using your personal data, in a concise, transparent, intelligible and accessible way. In the past, businesses may have got away with providing privacy information that was ambiguous or confusing – GDPR makes it clear that they can’t do this anymore.
The right to access: You’ll be able to easily access the personal data businesses hold on you. GDPR means you will be able to request a copy of your data for free. You also need to be given this information quickly – within one month of asking.
The right to be forgotten: Under the Data Protection Act, you are only able to get businesses to erase data if it causes unwarranted substantial damage or distress. Under GDPR, there are more reasons you can ask for a deletion of personal data – including the withdrawal of consent.
The right to data portability: This means when you request a full overview of the data a business holds on you, it must be presented in a way that could be provided to another company to re-use the data. This means that a print-out on paper, or using an inaccessible form of data such as a difficult to use spreadsheet, is not allowed. It must be easy to understand for all parties involved.
Fundamentally, GDPR is about giving you power over your data, and letting you know what is being done with it. This will help you make decisions about the businesses you share your data with, and improve our relationships with them, safe in the knowledge your data is safe.
Sébastien Pavie is the Regional Director META, Enterprise & Cybersecurity at Gemalto