Rising fraud and scams fuel urgency for robust data protection in UAE

The world as we know has over time witnessed a somewhat rapid digital revolution in the past few years, and the United Arab Emirates (UAE) has been at the forefront of it. Anchored on its strategic position as the undisputed regional hub for innovation and technology, coupled with its unique mix of cultures, trends, and digitally-connected residents, the UAE has made some amazing strides in technological advancements.

This has ultimately led to a remarkable surge in online transactions, thanks to a thriving eCommerce ecosystem, which translates to a considerable amount of personal data being collected and processed by companies every single day. But while this milestone is phenomenal and a big plus for the UAE and the entire region at large, on the flip side, however, the proliferation of data exposes the wider region to unimaginable and quite frankly, heightened risk of data breaches and cybercrimes, which could rise if the industry fails to take meaningful preventative steps.

According to KPMG’s recent survey on Ransomware campaigns in 2020, over 2.5 million ransomware attacks were reported in over 200 countries since the start of that year alone. By 2022, approximately four in ten internet users globally admitted to having experienced cybercrime, according to research experts, Statista.

Closer home, a report by a UK-based technology comparison portal Comparitech revealed that victims in the UAE lose over US$746 million annually to cybercrime, and this number is expected to increase.

Protecting customer information

On the back of these worrying statistics, it has become imperative for enterprises in the region to prioritize robust data protection measures not only to safeguard their customers' data but to sustain their overall growth and most importantly, profitability.

The recently introduced UAE Federal Decree Law No. 45 for the 2021 Personal Data Protection Law, has widely been termed as a significant step towards ensuring personal data protection is achieved in the UAE. The relatively new law mandates companies in the region to adopt systems and processes that ensure the rights of users are secured, and all actions undertaken by companies toward the collection, processing, and/or transferring of data are carried out in compliance with local and international law(s) as prescribed under the European Union General Data Protection Regulation.

One of the critical aspects of the regulation is to create consent forms and disclaimers for the sole purpose of personal data processing and management. Rightly so, this must-have requirement remains vital in ensuring that companies obtain explicit consent from users before collecting, processing, and even sharing their data. Notably, it is also equally important for businesses in the region to ensure that they have the right systems in place that will enable them to conduct effective data protection assessments to identify any potential or emerging risks and vulnerabilities in the company's data handling processes.

Processes and safeguards

Driven by the ever-evolving risks, it has become a no-brainer that appointing a data protection officer demonstrates a company's commitment to personal data protection and also ensures that there is a dedicated person or team that’s responsible around the clock for overseeing all the necessary data protection measures are adhered to.

Accurately documenting processes and systems in areas that are linked to personal data processing is another crucial requirement of the regulation. Doing this will help companies to effectively monitor and most importantly audit their data protection safeguards regularly and also ensure compliance with the law. Additionally, establishing robust internal and external breach and/or grievance redressal mechanisms is also essential.

The importance of such mechanisms is to help companies accurately detect and respond to data breaches promptly and efficiently while at the same time providing users with an efficient roadmap to file complaints and seek redressal in case of any data breaches or privacy violations.

Ethics-driven attitude

With that being said, it’s worth noting that personal data protection is not just about being legally obligated; it is also an ethical responsibility of companies. By protecting customers' data, companies strengthen trust and confidence – two essential factors that are required to sustain long-term relationships. Companies, therefore, need to take a holistic approach to not only how they handle, and process data but most importantly how they manage personal data protection.

This should ultimately be in a way that goes beyond complying with legal requirements, which includes adopting a proactive attitude towards data protection, and continually monitoring and improving their overall data protection measures.

By prioritizing personal data protection, companies can significantly gain a competitive advantage in their respective industries, build trust and confidence with their customers and other stakeholders, and safeguard their online and offline reputations. As technology evolves over time, the risk of data breaches and cybercrime will also continue to increase. Therefore, companies must remain vigilant and adopt best practices to protect their customers' data. In conclusion, the relevant legislation on personal data protection along with the right systems is a step in the right direction and must be adopted across all industries for the common good.

Farhat Ali Khan

Managing Partner

Century Maxim International