this EU law could cost you mil­lions

Bravo Romeo’s Mered­ith Car­son ex­plains How the EU’s up­com­ing Gen­eral Data Pro­tec­tion Reg­u­la­tion will af­fect MENA busi­ness

Campaign Middle East - - FRONT PAGE -

Bravo Romeo’s Mered­ith Car­son and Al Tamimi & Co’s Fiona Robert­son on why MENA busi­nesses need to un­der­stand GDPR.

If you haven’t heard about the GDPR (Gen­eral Data Pro­tec­tion Reg­u­la­tion) you will soon; it’s a set of reg­u­la­tions be­ing brought in by the Euro­pean Union in May 2018 to tackle data and, specif­i­cally, con­sent.

I’d like to paint a pic­ture of its im­pli­ca­tions for busi­nesses – from le­gal, con­tent, rep­u­ta­tion man­age­ment and busi­ness de­vel­op­ment per­spec­tives in the MENA re­gion and glob­ally – with valu­able in­put from Fiona Robert­son, Al Tamimi and Com­pany’s se­nior le­gal as­so­ciate for tech­nol­ogy, me­dia & telecom­mu­ni­ca­tions.

This should be an im­por­tant heads-up on a topic that’s not be­ing dis­cussed in the industry here as much as it needs to be. And when I say im­por­tant, I mean im­por­tant to the tune of 20m eu­ros. At least. So let’s start at the be­gin­ning.


In a nutshell, con­sent means of­fer­ing users choice and con­trol. With re­gards to data, the GDPR de­fines con­sent as “any freely given, spe­cific, in­formed and un­am­bigu­ous in­di­ca­tion of the data sub­ject’s wishes by which he or she, by a state­ment or by a clear af­fir­ma­tive ac­tion sig­ni­fies agree­ment to the pro­cess­ing of per­sonal data re­lat­ing to him or her.”

In the Mid­dle East, as users we face real is­sues with con­sent – be­ing re­lent­lessly abused by mar­keters who flog their wares fla­grantly in the face of the law, us­ing per­sonal data they gen­uinely have no right to use. As mar­keters, we owe it to our­selves and the brands we rep­re­sent to reg­u­late how we use data and how we man­age con­sent. Why? Be­cause brand rep­u­ta­tion mat­ters.


Plac­ing le­gal ram­i­fi­ca­tions aside – just for a mo­ment, be­cause they’re the juicy bits – the ben­e­fits of get­ting con­sent right are sig­nif­i­cant both from a cus­tomer ser­vice and brand trust per­spec­tive.

By be­ing com­pli­ant with global best prac­tice, you are demon­strat­ing to your cus­tomers that you gen­uinely value and re­spect them. You’re el­e­vat­ing your brand above the com­pe­ti­tion. Get­ting it wrong means (at best) erod­ing brand trust, rep­u­ta­tion dam­age and in­hibit­ing the like­li­hood of cus­tomer en­gage­ment now and fur­ther down the line. So… what do you need to know?

In or­der to put to­gether the fol­low­ing rec­om­men­da­tions, I pored over the UK In­for­ma­tion Com­mis­sioner’s Of­fice (ICO) ad­vice and Fiona and I knocked heads to de­liver the fol­low­ing rec­om­men­da­tions. Please bear in mind the leg­is­la­tion isn’t yet fi­nalised – it’s re­leased in May 2018. How­ever we hope this serves as a guide to help you prepare.

1. The first thing that you need to know is that there’s a lot to know and at­ten­tion to de­tail is crit­i­cal. Read the ICO’s ad­vice (it’s easy to find on­line). There are spe­cific new pro­vi­sions on a range of ar­eas, in­clud­ing re­quire­ments around chil­dren’s con­sent for on­line ser­vices and, as you can imag­ine, con­sent for sci­en­tific re­search. The reg­u­la­tion ap­plies to the man­ner of col­lec­tion of data, the way data is se­cured and pro­cessed and the way in which it is used.

2. While the reg­u­la­tion ap­plies to the Euro­pean con­ti­nent, when your au­di­ence is on the con­ti­nent you will be sub­ject to the law. In ad­di­tion, and re­ally im­por­tantly, the reg­u­la­tion is drafted to ap­ply to all EU cit­i­zens, no mat­ter where they are res­i­dent. In re­al­ity, this means the law is to be treated as a global man­date, as find­ing out who is and who isn’t an EU cit­i­zen is not at all a prac­ti­cal re­al­ity and would rep­re­sent a feat of data man­age­ment in and of it­self.

3. Fur­ther­more, the laws will ap­ply to any en­tity that is part of an EU cor­po­rate struc­ture. From a prac­ti­cal per­spec­tive, MENA sub­sidiaries will be ex­pected to com­ply, as their Euro­pean of­fices could be held li­able for their er­rors.

4. When it comes to user-ex­pe­ri­ence de­sign and data cap­ture, as­sume noth­ing and do your home­work. The draft reg­u­la­tion in­di­cates that it will re­quire spe­cific and gran­u­lar ac­tion. A blan­ket check box will not cover you, so be thor­ough. Put a team to­gether to en­sure or­gan­i­sa­tional-level un­der­stand­ing if you’re an agency and (at least) a depart­men­tal- level un­der­stand­ing within mar­comms and IT if you’re clientside. In all cases, set in­ter­nal pro­to­cols and work­ing pro­cesses.

5. An­other im­por­tant point Fiona urges us to re­mem­ber is that EU ‘data con­trollers’ (who are the of­fice­hold­ers re­spon­si­ble for data in a cor­po­rate en­tity) must carry out due dili­gence re­gard­ing their sup­pli­ers’ data man­age­ment pro­cesses, where they will be col­lect­ing or man­ag­ing data on their be­half. Fail­ure to un­der­take this due dili­gence may also re­sult in a fine to the EU en­tity – so ex­pect them to be very dili­gent in their due dili­gence. Re­gional com­pa­nies that do not pass this process can ex­pect to be over­looked for EU con­tracts. So there’s a new-busi­ness as­pect to this as well, agen­cies.

The agree­ments that you will see com­ing in from the EU will now in­clude this higher stan­dard for data col­lec­tion, man­age­ment and use. These clauses will not be ne­go­tiable, be­ing re­quired by the new law. This means that a com­pany could be held in breach of con­tract if it fails to com­ply with the data pro­vi­sions and could well be ex­pected to in­clude an in­dem­nity for fail­ing to com­ply as di­rected. Given the size of the fines in­volved, it will be im­por­tant to take this con­trac­tual obli­ga­tion se­ri­ously.

6. If a com­plaint is made, then the EU will no­tify all peo­ple it be­lieves might have been sub­ject to that breach. This could open your com­pany up to wider find­ings of in­fringe­ment and could well cre­ate a pub­lic re­la­tions cri­sis. This will also most cer­tainly neg­a­tively af­fect your abil­ity to se­cure fu­ture EU con­tracts. As you can see, get­ting it wrong is costly – be­yond rep­u­ta­tion dam­age, busi­nesses may face sub­stan­tial fines. In­fringe­ments of the ba­sic prin­ci­ples for pro­cess­ing per­sonal data, in­clud­ing con­di­tions for con­sent, are sub­ject to the high­est tier of ad­min­is­tra­tive fines. It could mean a fine of up to 20m eu­ros or 4 per cent of your to­tal world­wide an­nual turnover, whichever is higher. Mered­ith Car­son is CEO of Bravo Romeo by AJ

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.