Navigating data privacy regulations

New data privacy and protection legislations, both globally and within the region, are driving consumer demands around trustworthy and transparent use of personal data. Privacy regulations protect the rights of the individual (the data subject) with respect to fair and lawful collection and use of their personal information by organisations. Non compliance can result in fines and reputational damage.

Data privacy is far more than just the security and protection of personal data. It all boils down to how organisations are using that personal data. Organisations need to process personal data in an ethical and legal manner. That could mean not bombarding customers with unwanted SMS marketing messages but it could also mean simply not sharing personal information with third parties without the customer’s consent. It doesn’t mean that marketing is now forbidden under data privacy laws but it does mean that organisations need to be transparent about what personal data they are capturing and how it’s going to be used. Many organisations recognise the significant risks of cyber attacks and data breaches but fail to understand what else is required to safeguard what is referred to as the “rights and freedoms of individuals”.

Assess your data privacy maturity

Why is data privacy important?

Companies that fail to protect personal data and comply with data privacy regulations aren’t just risking financial penalties. They also risk operational inefficiencies,  intervention by regulators and most importantly, permanent loss of consumer trust.

Key global and regional data privacy laws

GDPR

General Data Protection Regulation (GDPR)

As the global gold standard for data protection, the GDPR represented a significant evolution in the landscape for personal data protection when it came into force on 25 May 2018.

The law includes stringent requirements for organisations who process personal data collected in the EU, with many multinationals in the Middle East undertaking GDPR compliance projects.

The law introduces strengthened rights for Data Subjects such as the right to access their data, the right to be informed via privacy notices and the right to rectify or delete their personal data.

Potential fines under the GDPR can reach €20m or 4% of global turnover - whichever is greater.

Qatar

Qatari Law No. 13 of 2016

Qatar implemented Law No. (13) of 2016 ("the Personal Data Privacy Protection Law") to protect the privacy of individuals’ personal data. With this, Qatar became the first Gulf Cooperation Council (GCC) member state to issue a personal data protection law. The Ministry of Transport and Communications has been tasked to enforce the law.

Any organisation involved in the processing of personal data should adhere to the principles of transparency, fairness and respect for human dignity. Additionally, adequate technical and organisational measures should be put in place to ensure a safe custody of the personal data.

The PDPPL prescribes financial penalties for non-compliance or legislative breaches which could be up to a maximum of QAR 5,000,000.

Learn more

Bahrain

Bahrain Law No. 30 of 2018

On 1 August 2019, Bahrain Law No. 30 of 2018 promulgating the Personal Data Protection Law (PDPL) came into force in the Kingdom. Modelled on European Union data protection laws, the PDPL is the second national law in the Gulf region to directly address the right to personal data protection and will impose obligations on businesses that collect personal data in relation to how organisations use and secure it.

Penalties go further than the GDPR by including provisions for prison sentences of up to 1 year.

The law includes additional requirements for organisations to submit their data processing registers monthly to the Authority and has shorter timelines for compliance with individuals' rights.

Egypt

Egypt Personal Data Protection Law No.151 of 2020

Egypt published a Personal Data Protection Law in July 2020 that addresses the right to personal data protection and gives multiple rights to individuals. 

According to the Law, personal data should only be collected for specific legitimate purposes and should not be retained longer than necessary. 

Organisations may need to acquire a license to process both personal and sensitive personal data. Additionally, organisations involved in the processing of personal information are expected to appoint an authorised Data Protection Officer (DPO) who will be responsible for the application of this law within the organisation. 

The Personal Data Protection Law has provisions for administrative fines and criminal penalties for non-compliance which could be up to a maximum of EGP 5m or a potential sentence of imprisonment of more than six months. 

Learn More

UAE - DIFC

DIFC Law No. 5 of 2020

The DIFC Data Protection Law (DIFC Law No. 5 of 2020) has been effective since 1 July 2020 and enforceable as of 1 October 2020. The law is applicable to all DIFC registered entities. 

Influenced by the EU General Data Protection Regulation, the DIFC law combines the best practices from a variety of world class data protection laws.

The law aims to safeguard the personal data of individuals whose data is processed by organisations registered in the DIFC. Non-compliance with the law may result in fines. 

Learn More

UAE

Federal Law No. 45 of 2021 (the UAE Data Protection Law)

In November 2021, the United Arab Emirates issued Federal Law No. 45 of 2021 (the UAE Data Protection Law), which set stricter standards for data privacy and protection and further increased awareness around the importance of data protection compliance. We have put together this data privacy handbook to try to simplify the requirements and help you kick-start your data privacy compliance journey. 

Download handbook 

Saudi Arabia

The KSA Personal Data Protection Law was issued on 16 September 2021 with the aim of protecting and providing guidelines of processing personal data within the Kingdom of Saudi Arabia (KSA). The Law applies to all organisations which operate or do business within KSA. 

The Law also references the “Executive Regulations” which will be issued within 180 days. The “Executive Regulations” will provide extra guidance on how organisations should comply with the Law.

If an organisation fails to protect personal data and comply with the Law within one year, the fines can reach up to SAR 5,000,000 and prison sentences up to 2 years.

Learn more

Oman

Oman Personal Data Protection Law, Royal Decree NO 6/2022

In February 2022 the Sultanate of Oman issued the Personal Data
Protection Law, which set stricter standards for data privacy and protection and further increased awareness of the importance of data protection compliance.

The law comes into force on 13 February 2023 – and it is highly important for organisations to fully prepare themselves for compliance
with the new legal requirements by this date.

We’ve put together this Data Privacy Handbook for the Sultanate of Oman to try to simplify the requirements and help organisations kick-start their data privacy compliance journey.

Download handbook

 

How we can help

We start by helping put the data protection requirements in the context of the business. We have developed a five step approach to transforming privacy programmes, with tools and accelerators to assist the process.

Risk analysis and data discovery

What you will get

  • Stakeholder engagement and communications plan
  • Personal data inventory
  • Data flow maps showing the movement of personal data from collection through to disposal

Gap assessment

What you will get

  • Control gap analysis
  • Risk assessment based on current and planned future uses of personal data

Target operating model and programme design

What you will get

  • Detailed remediation project plan with identified organisational impact
  • Cross-functional working group established

Programme implementation

Areas of focus

  • Strategy and governance
  • Policy management
  • Cross-border data strategy
  • Data life-cycle management
  • Individual rights processing
  • Privacy by design
  • Information security
  • Privacy incident management
  • Data processor accountability
  • Training and awareness

Ongoing operations and monitoring

What you will get

  • Defined ongoing monitoring programme
  • Tracking and retesting of non-compliance
  • Protocols for changes to policies and procedures

Contact the team

Speak to our local multidisciplinary team of data privacy experts to determine the best approach to managing data privacy in your organisation.

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Matthew White

Matthew White

Partner, Digital Trust Leader, PwC Middle East

Tel: +971 (0) 56 113 4205

Phil Mennie

Phil Mennie

Partner, Digital Trust, PwC Middle East

Tel: +971 (0) 56 369 7736

Imad Abuizz

Imad Abuizz

Partner, Digital and Technology Platform Leader, PwC Middle East

Tel: +966 50 426 3478

Simone Vernacchia

Simone Vernacchia

Digital & Technology Consulting Senior Equity Partner, PwC Middle East

Tel: +971 4 304 3203

Oliver Sykes

Oliver Sykes

Partner, Digital Trust, PwC Middle East

Tel: +971 (0) 56 480 2447

Follow us