Data privacy is far more than just the security and protection of personal data. It all boils down to how organisations are using that personal data. Organisations need to process personal data in an ethical and legal manner. That could mean not bombarding customers with unwanted SMS marketing messages but it could also mean simply not sharing personal information with third parties without the customer’s consent. It doesn’t mean that marketing is now forbidden under data privacy laws but it does mean that organisations need to be transparent about what personal data they are capturing and how it’s going to be used. Many organisations recognise the significant risks of cyber attacks and data breaches but fail to understand what else is required to safeguard what is referred to as the “rights and freedoms of individuals”.
Why is data privacy important?
Companies that fail to protect personal data and comply with data privacy regulations aren’t just risking financial penalties. They also risk operational inefficiencies, intervention by regulators and most importantly, permanent loss of consumer trust.
Data protection regulators may enforce mandatory audits, request access to documentation and evidence or even mandate that an organisation stops processing personal data.
Non-compliance with the law could result in brand damage, loss of consumer trust, loss of employee trust and customer attrition.
Fines, and in some countries potential prison sentences, could be enforced depending on the violation. You may also experience loss of revenue and high litigation and remediation costs.
Most data privacy laws give people more rights over their data, such as the right to access their data or the right for it to be deleted. This can be a significant operational burden if it is not implemented effectively.
Ten steps to an effective data privacy programme
< Back
< Back
[+] Read More
Key global and regional data privacy laws
- GDPR
- Qatar
- Bahrain
- Egypt
- UAE - DIFC
- UAE
- Saudi Arabia
- Oman
GDPR
General Data Protection Regulation (GDPR)
As the global gold standard for data protection, the GDPR represented a significant evolution in the landscape for personal data protection when it came into force on 25 May 2018.
The law includes stringent requirements for organisations who process personal data collected in the EU, with many multinationals in the Middle East undertaking GDPR compliance projects.
The law introduces strengthened rights for Data Subjects such as the right to access their data, the right to be informed via privacy notices and the right to rectify or delete their personal data.
Potential fines under the GDPR can reach €20m or 4% of global turnover - whichever is greater.
Qatar
Qatari Law No. 13 of 2016
Qatar implemented Law No. (13) of 2016 ("the Personal Data Privacy Protection Law") to protect the privacy of individuals’ personal data. With this, Qatar became the first Gulf Cooperation Council (GCC) member state to issue a personal data protection law. The Ministry of Transport and Communications has been tasked to enforce the law.
Any organisation involved in the processing of personal data should adhere to the principles of transparency, fairness and respect for human dignity. Additionally, adequate technical and organisational measures should be put in place to ensure a safe custody of the personal data.
The PDPPL prescribes financial penalties for non-compliance or legislative breaches which could be up to a maximum of QAR 5,000,000.
Bahrain
Bahrain Law No. 30 of 2018
On 1 August 2019, Bahrain Law No. 30 of 2018 promulgating the Personal Data Protection Law (PDPL) came into force in the Kingdom. Modelled on European Union data protection laws, the PDPL is the second national law in the Gulf region to directly address the right to personal data protection and will impose obligations on businesses that collect personal data in relation to how organisations use and secure it.
Penalties go further than the GDPR by including provisions for prison sentences of up to 1 year.
The law includes additional requirements for organisations to submit their data processing registers monthly to the Authority and has shorter timelines for compliance with individuals' rights.
Egypt
Egypt Personal Data Protection Law No.151 of 2020
Egypt published a Personal Data Protection Law in July 2020 that addresses the right to personal data protection and gives multiple rights to individuals.
According to the Law, personal data should only be collected for specific legitimate purposes and should not be retained longer than necessary.
Organisations may need to acquire a license to process both personal and sensitive personal data. Additionally, organisations involved in the processing of personal information are expected to appoint an authorised Data Protection Officer (DPO) who will be responsible for the application of this law within the organisation.
The Personal Data Protection Law has provisions for administrative fines and criminal penalties for non-compliance which could be up to a maximum of EGP 5m or a potential sentence of imprisonment of more than six months.
UAE - DIFC
DIFC Law No. 5 of 2020
The DIFC Data Protection Law (DIFC Law No. 5 of 2020) has been effective since 1 July 2020 and enforceable as of 1 October 2020. The law is applicable to all DIFC registered entities.
Influenced by the EU General Data Protection Regulation, the DIFC law combines the best practices from a variety of world class data protection laws.
The law aims to safeguard the personal data of individuals whose data is processed by organisations registered in the DIFC. Non-compliance with the law may result in fines.
UAE
Federal Law No. 45 of 2021 (the UAE Data Protection Law)
In November 2021, the United Arab Emirates issued Federal Law No. 45 of 2021 (the UAE Data Protection Law), which set stricter standards for data privacy and protection and further increased awareness around the importance of data protection compliance. We have put together this data privacy handbook to try to simplify the requirements and help you kick-start your data privacy compliance journey.
Saudi Arabia
The KSA Personal Data Protection Law was issued on 16 September 2021 with the aim of protecting and providing guidelines of processing personal data within the Kingdom of Saudi Arabia (KSA). The Law applies to all organisations which operate or do business within KSA.
The Law also references the “Executive Regulations” which will be issued within 180 days. The “Executive Regulations” will provide extra guidance on how organisations should comply with the Law.
If an organisation fails to protect personal data and comply with the Law within one year, the fines can reach up to SAR 5,000,000 and prison sentences up to 2 years.
Oman
Oman Personal Data Protection Law, Royal Decree NO 6/2022
In February 2022 the Sultanate of Oman issued the Personal Data
Protection Law, which set stricter standards for data privacy and protection and further increased awareness of the importance of data protection compliance.
The law comes into force on 13 February 2023 – and it is highly important for organisations to fully prepare themselves for compliance
with the new legal requirements by this date.
We’ve put together this Data Privacy Handbook for the Sultanate of Oman to try to simplify the requirements and help organisations kick-start their data privacy compliance journey.
How we can help
We start by helping put the data protection requirements in the context of the business. We have developed a five step approach to transforming privacy programmes, with tools and accelerators to assist the process.
Risk analysis and data discovery
What you will get
- Stakeholder engagement and communications plan
- Personal data inventory
- Data flow maps showing the movement of personal data from collection through to disposal
Gap assessment
What you will get
- Control gap analysis
- Risk assessment based on current and planned future uses of personal data
Target operating model and programme design
What you will get
- Detailed remediation project plan with identified organisational impact
- Cross-functional working group established
Programme implementation
Areas of focus
- Strategy and governance
- Policy management
- Cross-border data strategy
- Data life-cycle management
- Individual rights processing
- Privacy by design
- Information security
- Privacy incident management
- Data processor accountability
- Training and awareness
Ongoing operations and monitoring
What you will get
- Defined ongoing monitoring programme
- Tracking and retesting of non-compliance
- Protocols for changes to policies and procedures
Contact the team
Contact us
Imad Abuizz
Partner, Digital and Technology Platform Leader, PwC Middle East
Tel: +966 50 426 3478
Simone Vernacchia
Digital & Technology Consulting Senior Equity Partner, PwC Middle East
Tel: +971 4 304 3203
Follow us
