Building A Data Privacy Framework: Practical Steps For UAE SMES And Startups

The UAE, with its government support for innovative entrepreneurship and business accelerators, has emerged as a prominent hub for Small and Medium-sized Enterprises (SMEs) and Startups, significantly shaping its economic landscape. It is believed that there will be 1 million SMEs in the UAE by the year 2030.

With the rapid rise of digital transformation, data has become an invaluable asset to businesses. For enterprises such as SMEs and startups, the protection of their data and the safeguarding of privacy are of utmost importance.

Having a data privacy framework shall be necessary for SMEs and startups as it fosters an upkeep of customer trust and thereby the reputation of the business, which can be crucial for developing businesses. Legal compliance by these enterprises can aid in avoiding penalties and also in minimising the risks of data breaches. Hence, it enhances the competitiveness of SMEs and startups when dealing with larger corporations or foreign investors.

The comprehensive legislative tools in place, such as the UAE Federal Law No. 45 of 2021 and sector-specific regulations in the DIFC and ADGM, highlight the increasing regulatory focus on a data privacy framework.

The Legal Landscape of Data Protection in the UAE

The Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data: The 2021 Personal Data Protection Law is the key governing legislation that ensures the confidentiality of information, protects the privacy of individuals, and facilitates data processing and management in the UAE with clearly established rules. All private sector businesses that process personal data within the UAE and foreign companies handling data of UAE residents shall be subject to the aforesaid regulation.

This Personal Data Protection Law entrusts businesses with the following responsibilities:

• For businesses to process personal data, a valid consent of the data subject shall be mandatorily obtained, which can be proved by the data controller.
• Businesses shall ensure that the data processing is undertaken in a fair, transparent and legal manner, wherein it shall be for a specific and clearly defined lawful purpose.
• Security safeguards and appropriate technical measures to prevent illegal access or unauthorised processing, breaches, or infringements of personal data shall be implemented.
• In cases of data processing involving high-risk to the privacy or confidentiality of the data, the controller shall undertake mandatory impact assessments to evaluate the impact of the proposed processing operations on such personal data.

Even though the 2021 Personal Data Protection Law serves as the primary legislation in the UAE, its scope and application does not extend to the data handled by businesses within the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). These financial free zones in the UAE entail separate data protection laws.

Dubai International Financial Centre: In the DIFC, data protection is regulated by the DIFC Law No. 5 of 2020 (As amended by DIFC Laws Amendment Law DIFC Law No. 2 of 2022), which in similar to the 2021 UAE Data Protection Law, envisages certain requirements to be met by the businesses for legitimate and lawful processing, such as (but not limited to):

• Legitimate, fair and transparent processing, only for purposes that are specified, explicit and legitimate and determined at the time of collection of such personal data,
• Conditions of consent and reliance on legitimate interests.
• Data Protection Impact Assessment.
• The legislation also requires the controller or processor to establish a program to demonstrate compliance with this DIFC law.
• A Controller shall maintain a written record with all the necessary information as the law demands, which may be in electronic form, of the processing activities under its responsibility.

Abu Dhabi Global Market: The ADGM Data Protection Regulations 2021 is the nodal legislation, wherein it also envisages similar provisions relating to lawfulness of processing, conditions for consent and the rights of data subjects.

Practical Steps to Build a Data Privacy Framework

Business enterprises like SMEs and startups can undertake the following steps to build a data privacy framework.

• Data Mapping: A major facet of efficient data management, data mapping is the comprehensive process of identifying, categorising, and documenting the flow of personal data that an entity collects, uses and stores. Therefore, by undertaking the process of Data Mapping, SMEs and startups shall record information as to why the particular data was collected, from whom (which may include the employees, customers, suppliers, etc.), its purpose, and how the data shall be processed, stored and transferred.

• Developing Privacy Policies: The enterprises dealing with personal data shall draft clear privacy notices for customers, employees, and third parties, clearly communicating the terms of purpose, storage, sharing, and user rights relating to such personal data. These privacy policies shall remain easily accessible to the concerned persons.

• Implementing Efficient Consent Mechanisms: As mentioned earlier, the key legislations, including the 2021 UAE Personal Data Protection Law, the ADGM and DIFC Data Protection Regulations, clearly entail provisions mandating businesses to obtain a valid consent of the data subject for data processing. This step is significant in effecting a lawful basis of data processing. While gaining consent, the precise use of language is vital, wherein it shall be given in a clear, simple and accessible manner, either electronically or in writing. The data controller must be able to prove such consent. The entity shall also communicate that they can withdraw their given consent at any time.

• Appointing a Data Protection Officer (DPO): Most key legislations require the data controllers and data processors to appoint a Data Protection Officer (DPO), who shall be a person with adequate skills and knowledge of personal data protection laws and practices. A DPO shall monitor and ensure compliance with the existing laws, advise the controller or processor on data management, and also act as a point of contact for the UAE Data Office, which is the federal regulator. Appointing a DPO shall be mandatory, especially in cases where personal data processing may entail a high risk to the privacy or confidentiality of such data, or when it involves a large volume of sensitive data.

• Conducting Regular Data Audit: Data Auditing is a systematic process of undertaking a comprehensive assessment of the company’s data with an objective of ensuring that the data adheres to the internal guidelines and the existing legal frameworks. This helps in tapping compliance gaps, improving data quality, enhancing security and thereby mitigating the risks of data infringements or breaches.

• Implementing Security Measures: Enterprises such as SMEs and startups shall take appropriate technical and organisational level measures to protect and secure personal data to preserve its confidentiality and privacy. They shall also establish standard measures to ensure that such data is not breached, destroyed, altered or tampered with. Here, technical measures include data encryption, strict access controls, and regular backups of personal data. Organisation level measures include staff training, updating internal policies, conducting strict audit procedures and ensuring compliance with laws.

• Updating Contracts and Agreements: An effective step in building a data privacy framework is to incorporate express clauses concerning data processing, security obligations, and breach notifications in relevant contracts and agreements with suppliers, clients and even partners.

These steps also ensure that the SMEs and startups align with General Data Protection Regulation (GDPR) requirements.

A well-structured privacy framework builds customer trust. By seeking expert legal assistance, businesses can navigate these complex obligations effectively and implement practical safeguards for the sustainable and long term growth of their business.