The EU’s General Data Protection Regulation (“GDPR”) replaces the Data Protection Directive 95/46/EC and is designed to safeguard people’s personal information by harmonising data privacy laws across the EU.
As of 25 May 2018, individuals now have the right to demand that a company reveals or deletes personal data that the company holds about them. Regulators now have powers to enforce their decisions with penalties.
The GDPR also addresses the export of personal data outside the EU. Even entities operating beyond the EU, such as those in Oman, could be affected.
The GDPR applies to personal data, including names, addresses, emails, etc. and also IP addresses. Most companies of whatever description are likely to have databases of personal information relating to clients, employees, and suppliers - all of which information will potentially be covered by the GDPR.
The GDPR would apply to a company operating in Oman if the company:
(a) has a branch, subsidiary or any representative in the EU;
(b) offers any goods or services to persons located in the EU; and/or
(c) monitors the online behaviour of persons located in the EU.
The GDPR sets out how companies must deal with the data they collect. Breaches of data confidentiality must be disclosed within 72 hours of discovery of the breach. Sensitive data cannot be used by organisations when deciding on a course of action. Sending out mass marketing emails to people that have not actively subscribed to receive them is also not permitted.
An organisation that violates the rules could face fines of up to 4% of their global annual revenue or €20 million (approximately OMR 8.77 million), whichever is greater.
Companies that may fall within the ambit of the GDPR should review their policies in relation to:
(a) protecting and managing personal data;
(b) reporting breach incidents within 72 hours; and
(c) determining who will take the lead role in data protection and privacy - the executive
management, the board, the chief information security officer or a data protection officer.
Companies that might be affected should:
(a) establish transparent and easily accessible privacy and data protection policies and procedures;
(b) review and update all existing contracts with data processors and customers to provide for more stringent data protection and consent clauses;
(c) create a framework for accountability by monitoring, reviewing and assessing data processing activities;
(d) evaluate insurance policies to ensure the company is adequately protected in the event of a data breach;
(e) conduct internal training sessions to ensure employee compliance with the new data protection obligations; and
(f) consider whether the employment of a data protection officer is required.
It will be important for businesses in Oman to assess all personal data processing activities. This should include an audit of any activities likely to involve the processing of personal data relating to individuals in the EU, including information that indirectly identifies such individuals (such as IP addresses or customer reference numbers).