In the Middle East and North Africa regions, the business world is just beginning to encounter the regulatory and operational pressures that European and U.S. companies have faced in recent years. Six new data privacy laws have been introduced in the last 18 months and authorities in the Dubai International Financial Centre have already issued 88 fines since the region’s new regulations became effective in late 2020.
These new laws come in addition to dozens of existing regulations in Saudi Arabia, the United Arab Emirates and other countries that impact data privacy in some way, and the extraterritorial laws such as the EU General Data Protection Regulation, which impact obligations for many organizations in the MENA region.
As Middle Eastern countries ramp up their regulatory oversight and rigor over data protection, companies in the region are seeking guidance on how to evaluate their risk, implement data privacy frameworks and uphold compliance. Given a multitude of complexities, it is very difficult for organizations to stay abreast of all the requirements.
A snapshot of emerging laws and penalties
In the UAE, at least 19 laws are focused on or contain sections regarding data privacy, and a federal UAE data privacy law is expected to pass this year. In early 2021, the Abu Dhabi Global Market repealed the 2015 ADGM Data Protection Regulations and replaced them with new laws with an emphasis on accountability and requirements similar to the GDPR and other global standards. Under those changes, existing organizations operating in or with connections to ADGM have until Feb. 14, 2022, to implement new compliance measures and new organizations had until Aug. 14 this year to establish compliance.
The UAE constitution, Penal Code, Cyber Crime Law and sector specific laws that impact health care, e-commerce or other industries also include privacy provisions and enforcement power — with penalties for violating these laws spanning fines as high as DH1 million or potential jail time.
Another recent change is the enactment of the DIFC Data Protection Law in July of last year, which became enforceable after only a three-month transition period. The DPL replaced previous DIFC data protection regulations, aligning the regions’ protections, requirements and enforcement powers with global standards.
In 2018, Bahrain's Personal Data Protection Law was introduced, which includes protection of privacy, data subject rights and accountability similar to other global standards. The law includes a degree of enforcement and independent regulator power, but less so than the strictest global laws. Qatar’s Law No. 13 of 2016 Concerning Personal Data Protection goes even further and is aligned with global principles across protections, data subject rights, accountability, regulatory authority and enforcement.
This is only a snapshot of the complex data privacy landscape forming in the MENA. At the very least, this should illustrate it is time to take data privacy seriously. As organizations in the region begin to adapt, there are a number of considerations that should be addressed.
Data privacy risks and best practices
Legal and compliance teams can start with an assessment of the laws that apply to their organization and how the company’s existing policies and practices stack up against the requirements. Under some of the new and emerging laws in the MENA, organizations must meet a much higher bar for accountability, which means they are expected to have a robust compliance program with appropriate staffing, oversight and technical controls to protect personal data. This may include maintaining a processing register and conducting data protection impact assessments on technologies and outside providers.
For many organizations, new policies, procedures and consent notices will need to be implemented. Policies should address any gaps identified in the assessment, reflect the latest requirements and be designed to adapt as the regulations change. Organizations that rely on consent will need to ensure privacy notices and consent meet standards and demonstrate consent has been freely given.
The ADGM, DIFC, Qatari and Bahraini laws also all require the appointment of a data protection officer for all companies processing sensitive data or high volumes of data. The laws do not require this role to be filled by an employee, so organizations without the internal expertise, bandwidth or budget to appoint an in-house DPO have the option to outsource the role to a third-party expert. In any case, the DPO must have a deep understanding of the full scope of privacy laws under which the company is obligated, and experience in designing, executing and managing global privacy programs.
Data breach response is another important consideration. Certain laws require organizations to notify data subjects of breaches within 72 hours and take additional steps to investigate and resolve the breach. To ensure compliance with breach response requirements and avoid penalties, organizations should consult with data privacy experts to update data breach policy, processes and workflows to ensure timely response and communication with authorities in the event of a breach.
When personal data is being transferred across borders for business purposes, mergers and acquisitions activity or regulatory investigations, organizations must take additional steps to avoid running afoul of data privacy laws. The Gulf Cooperation Council provides a framework for international data transfers between many of the MENA countries, but not all jurisdictions are approved as adequate. If data is being transferred to countries not granted adequacy under the GCC, additional control mechanisms, such as standard contractual clauses or binding corporate rules, will be required. Though it’s important to note that even these mechanisms may come under scrutiny in the wake of the Court of Justice of the European Union’s "Schrems II" ruling last year.
Proactive data privacy
Worldwide, data privacy regulations are becoming more complicated and intense. While the MENA has moved more slowly on this front than other regions, it is catching up. Governments are getting serious about leading on the global stage and enforcing data privacy. In addition to implementing new privacy programs and controls to adapt to this shift, organizations will also need to invest in changing cultural attitudes toward data privacy. Change management initiatives that ensure everyone who interacts with sensitive data is brought in to the policies will be critical.
The result of these efforts will be a strong foundation for extracting value from data in a compliant way and the ability to sustain consumer, partner and employee trust, at a time when doing nothing is no longer an option. In FTI Consulting’s 2020 Resilience Barometer, while 76% of respondents either agree or strongly agree that regulatory uplift will make business more complicated, less than half are proactive about increased regulatory scrutiny and managing the risks of sensitive internal information leaks. This reactive approach to data protection must change.
Photo by Andrew Stutesman on Unsplash