Navigating data privacy regulations

New data privacy and protection legislations, both globally and within the region, are driving consumer demands around trustworthy and transparent use of personal data. Privacy regulations protect the rights of the individual (the data subject) with respect to fair and lawful collection and use of their personal information by organisations. Non compliance can result in fines and reputational damage.

Data privacy is far more than just the security and protection of personal data. It all boils down to how organisations are using that personal data. Organisations need to process personal data in an ethical and legal manner. That could mean not bombarding customers with unwanted SMS marketing messages but it could also mean simply not sharing personal information with third parties without the customer’s consent. It doesn’t mean that marketing is now forbidden under data privacy laws but it does mean that organisations need to be transparent about what personal data they are capturing and how it’s going to be used. Many organisations recognise the significant risks of cyber attacks and data breaches but fail to understand what else is required to safeguard what is referred to as the “rights and freedoms of individuals”.

Assess your data privacy maturity

Why is data privacy important?

Companies that fail to protect personal data and comply with data privacy regulations aren’t just risking financial penalties. They also risk operational inefficiencies, intervention by regulators and most importantly, permanent loss of consumer trust.

Data protection regulators may enforce mandatory audits, request access to documentation and evidence or even mandate that an organisation stops processing personal data.

Non-compliance with the law could result in brand damage, loss of consumer trust, loss of employee trust and customer attrition.

Fines, and in some countries potential prison sentences, could be enforced depending on the violation. You may also experience loss of revenue and high litigation and remediation costs.

Most data privacy laws give people more rights over their data, such as the right to access their data or the right for it to be deleted. This can be a significant operational burden if it is not implemented effectively.

Ten steps to an effective data privacy programme

1. Appoint a Data Protection Officer

2. Maintain a personal data register

3. Notify purpose and seek consent

4. Respond when individuals ask about their personal data

5. Enforce security mechanisms

6. Embed data privacy into your systems, processes and services

Download Data Privacy Handbook

Key global and regional data privacy laws

GDPR

General Data Protection Regulation (GDPR)

As the global gold standard for data protection, the GDPR represented a significant evolution in the landscape for personal data protection when it came into force on 25 May 2018.

The law includes stringent requirements for organisations who process personal data collected in the EU, with many multinationals in the Middle East undertaking GDPR compliance projects.

The law introduces strengthened rights for Data Subjects such as the right to access their data, the right to be informed via privacy notices and the right to rectify or delete their personal data.

Potential fines under the GDPR can reach €20m or 4% of global turnover - whichever is greater.

Qatar

Qatari Law No. 13 of 2016

Qatar implemented Law No. (13) of 2016 ("the Personal Data Privacy Protection Law") to protect the privacy of individuals’ personal data. With this, Qatar became the first Gulf Cooperation Council (GCC) member state to issue a personal data protection law. The Ministry of Transport and Communications has been tasked to enforce the law.

Any organisation involved in the processing of personal data should adhere to the principles of transparency, fairness and respect for human dignity. Additionally, adequate technical and organisational measures should be put in place to ensure a safe custody of the personal data.

The PDPPL prescribes financial penalties for non-compliance or legislative breaches which could be up to a maximum of QAR 5,000,000.

Learn more

Bahrain

Bahrain Law No. 30 of 2018

On 1 August 2019, Bahrain Law No. 30 of 2018 promulgating the Personal Data Protection Law (PDPL) came into force in the Kingdom. Modelled on European Union data protection laws, the PDPL is the second national law in the Gulf region to directly address the right to personal data protection and will impose obligations on businesses that collect personal data in relation to how organisations use and secure it.

Penalties go further than the GDPR by including provisions for prison sentences of up to 1 year.

The law includes additional requirements for organisations to submit their data processing registers monthly to the Authority and has shorter timelines for compliance with individuals' rights.

Egypt

Egypt Personal Data Protection Law No.151 of 2020

Egypt published a Personal Data Protection Law in July 2020 that addresses the right to personal data protection and gives multiple rights to individuals.

According to the Law, personal data should only be collected for specific legitimate purposes and should not be retained longer than necessary.

Organisations may need to acquire a license to process both personal and sensitive personal data. Additionally, organisations involved in the processing of personal information are expected to appoint an authorised Data Protection Officer (DPO) who will be responsible for the application of this law within the organisation.

The Personal Data Protection Law has provisions for administrative fines and criminal penalties for non-compliance which could be up to a maximum of EGP 5m or a potential sentence of imprisonment of more than six months.

Learn More

UAE - DIFC

DIFC Law No. 5 of 2020

The DIFC Data Protection Law (DIFC Law No. 5 of 2020) has been effective since 1 July 2020 and enforceable as of 1 October 2020. The law is applicable to all DIFC registered entities.

Influenced by the EU General Data Protection Regulation, the DIFC law combines the best practices from a variety of world class data protection laws.

The law aims to safeguard the personal data of individuals whose data is processed by organisations registered in the DIFC. Non-compliance with the law may result in fines.

Learn More

Saudi Arabia

The KSA Personal Data Protection Law was issued on 16 September 2021 with the aim of protecting and providing guidelines of processing personal data within the Kingdom of Saudi Arabia (KSA). The Law applies to all organisations which operate or do business within KSA.

The Law also references the “Executive Regulations” which will be issued within 180 days. The “Executive Regulations” will provide extra guidance on how organisations should comply with the Law.

If an organisation fails to protect personal data and comply with the Law within one year, the fines can reach up to SAR 5,000,000 and prison sentences up to 2 years.

Learn more

How we can help

We start by helping put the data protection requirements in the context of the business. We have developed a five step approach to transforming privacy programmes, with tools and accelerators to assist the process.

Risk analysis and data discovery

What you will get

Stakeholder engagement and communications plan
Personal data inventory
Data flow maps showing the movement of personal data from collection through to disposal

Gap assessment

What you will get

Control gap analysis
Risk assessment based on current and planned future uses of personal data

Target operating model and programme design

What you will get

Detailed remediation project plan with identified organisational impact
Cross-functional working group established

Programme implementation

Areas of focus

Strategy and governance
Policy management
Cross-border data strategy
Data life-cycle management
Individual rights processing
Privacy by design
Information security
Privacy incident management
Data processor accountability
Training and awareness

Ongoing operations and monitoring

What you will get

Defined ongoing monitoring programme
Tracking and retesting of non-compliance
Protocols for changes to policies and procedures

Contact the team

Speak to our local multidisciplinary team of data privacy experts to determine the best approach to managing data privacy in your organisation.

Required fields are marked with an asterisk(*)

First Name*

Last Name*

Email Id*

Organization*

Phone Number*

Please Click Here*

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.