Cybersecurity and data privacy aren't just 'nice-to-have' IT initiatives anymore - they are business imperatives for organizations to keep up with evolving compliance needs and cybersecurity threats.
But complying with data protection and privacy laws is a daunting challenge for any organization, particularly for those who serve international clients or are looking to expand into foreign markets. Navigating this intricate compliance first requires a clear understanding of the active privacy and security legislations.
The UAE does not have a specific federal law for data rights management. However, there is the Federal Decree Law No. (5) of 2012, which was exclusively formed to combat cybercrime with stringent mandates. The legislation has also been amended twice, the last being in 2016. Apart from this, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (AGDM) have their own data protection regulations. In fact, the DIFC's Data Protection Law (DPL) that came into force on July 1, 2020 now has a more expansive jurisdiction on cross-border personal data transfers.
A single, overarching law is definitely not far away in light of ongoing national projects like Vision 2021 and UAE Centennial 2071. These initiatives include strong focus on country-wide digital transformation, smart city development, and building a knowledge-based economy.
A comprehensive federal legislation will prove useful in ensuring secure governance of the unimaginable amounts of data as these projects take centrestage. The legal implications of misusing information or failing to keep it secure can be severe, involving heavy penalties, compensation claims, and irrevocable reputation damage.
Take DIFC's Data Protection Law, for instance. Fines for compliance failure range from $10,000 to $100,000. And this is just the scope of one regional law.
Last November, we had an insightful discussion about the significant aspects of data protection and privacy with Ayman Merdas and Hassan Al Shaqsi of Global Advocacy and Legal Counsel. Some of their suggestions on how organizations can exercise caution while dealing with personal data and ensure compliance are as follows:
Security framework for processes
This is important for organizations of all sizes. Even SMEs, if they haven't already should consider enforcing procedures like network monitoring tools, platform security measures (e.g., server hardening), two-factor authentication, and role-based access controls that track employee logins. The abstract idea is to have a closed system that keeps mission-critical information within the four walls of the company.
A surefire way to protect data is to extensively train employees on its significance, distribute data handling guidelines across internal forums, and inculcate cybersecurity/privacy as core workplace values. Say, when sensitive data, such as customer lists or employee IDs are printed and left around lying on desks, it's a privacy violation of sorts.
Instead, employees should be aware about using shredders to make sure data is not leaked out or misused. Recommendations such as the above first require definition of clear and relevant organizational policies that are both easy to understand and implement. Existing regulations will evolve and newer directives will continue to emerge, as cybercrimes surge and awareness about privacy increases.
Today, we spend millions implementing a digital system to improve business efficiency. Similarly, it is critical to make room in our IT budgets for steps such as appointing an in-house data protection officer or getting external consultation.
These measures will help to have a clear understanding of privacy and security laws locally and internationally and build a robust business that's flexible enough to accommodate newer processes when fresh laws crop up.