Ever since the EU’s GDPR (Global Data Protection Regulation) has taken effect, data privacy has gained more importance and countries all over the world have started to draft their own laws and regulations. When the issue of data privacy is raised, two elements emerge: security and ethics.
Everything comes down to how personal data is used. Consent and targeted audience are the key words here and the pillars of all data regulations and privacy laws. Failing to protect personal data has financial consequences and leads to operational inefficiencies and permanent loss of customer trust.
Pillars of a Data Privacy Strategy
Elaborating a data privacy strategy is crucial in the digital era. Transparency is the ultimate pillar of such a strategy, whereby why personal data is collected and how it is used are clearly stated. Ensuring security and protecting data during data transfers, or in case of data breaches is also important to preserve customer’s trust. When a data privacy strategy is drafted, data protection policies, processes and practices should be clearly communicated.
Laws and Regulations
When imposed in 2018, the General Data Protection Regulation (GDPR) was a huge leap forward in this context. The law gives forth stringent requirements for organizations who process personal data collected in the EU, with many multinationals in the Middle East undertaking GDPR compliance projects.
In a recently concluded virtual panel by Telecom Review, Nicolas Gresser, Head of Public Policy, Middle East and Africa at Amazon Web Services explained how the MEA region is following the footsteps of the European Union with data privacy laws that follow the GDPR standard. According to him, “this is driving some degree of harmonization between countries, which can enable data flow between countries, however, this privacy framework remains very heterogeneous and fragmented so data is not flowing between countries as it should.”
Many countries in the Middle East have decided to replicate the GDPR experience with pertinent laws. Qatar for example, was the first Gulf Cooperation Council member state to issue a personal data protection law - the Personal Data Privacy Protection Law (PDPPL) - that goes by the principles of transparency, fairness and respect for personal privacy.
The UAE’s DIFC Data Protection Law has been enforced in October 2020 and applies to all DIFC registered entities. It was enacted to protect the data processes by organizations registered in the DIFC. In November 2021, the UAE issued its Data Protection Law which stipulates strict data privacy and protection standards.
In the same framework, the Kingdom of Saudi Arabia issued in September 2021 the Personal Data Protection Law that provides guidelines on how to process personal data in the Kingdom.
Egypt is one of the Arab countries that impose strict data protection rules in conformity with its Personal Data Protection Law enacted in July 2020. According to the Law, personal data should only be collected for specific legitimate purposes and should not be retained longer than necessary.
Oman joins as well the list of countries that took action as to data privacy. In February 2022, the Sultanate of Oman issued the Personal Data Protection Law which raised awareness on the importance of data protection.
The topic of data protection can be very controversial and is affected by a series of factors and elements that differ according to the specificities of the region as a whole and the country in specific. The industry is on the right track when it comes to data protection law, however, a lot remains to be done, notably in terms of the role of regulators in maintaining a healthy regulatory scene and imposing the right measures at the right time.