6. Integrate data protection into your systems, processes and services Data protection regulations around the world are becoming increasingly complicated and intensive. While the MENA region is making slower progress on this front than other regions, it is catching up. Governments are committed to leading the world and upholding privacy. In addition to implementing new privacy programs and controls to adapt to this change, organizations must also invest in changing cultural attitudes towards privacy. Change management initiatives that ensure that everyone who interacts with sensitive data is included in policies is essential. The result of these efforts will be a solid foundation for extracting value from data in a compliant manner and the ability to maintain the trust of consumers, partners and employees at a time when doing nothing is no longer an option. While 76% of respondents to FTI Consulting`s 2020 Resilience Barometer agree or strongly agree that the regulatory elevator will complicate business, less than half are proactive in terms of increased regulatory oversight and managing the risk of leakage of sensitive internal information. This reactive approach to data protection needs to change.
Those measures shall ensure a level of security commensurate with the risks posed by the processing and the nature of the data to be protected with regard to the entity`s facilities and the cost of implementation. Specific security measures are taken for certain types of personal data and for certain purposes (in particular sensitive data, call recording and video surveillance). Federal Legislative Decree No. 45 of 2021 on the Protection of Personal Data (the “Law”) entered into force on 2 November. January 2022 and is the first national data protection law of the United Arab Emirates type (Regulation (EU) 2016/679) (“GDPR”). The law follows important international data protection principles and best practices such as those contained in the GDPR and marks a positive step towards greater harmonization of data protection with international standards, which is a necessity in today`s interconnected era of cross-border data flows at the international level. In the second part of this series on the Act, Andrew Fawcett and Darya Ghasemzadeh of Al Tamimi & Company discuss some of the rights of data subjects under the Act, as well as its provisions on the role of a Data Protection Officer (“DPO”) and cross-border data transfers. The United Arab Emirates consists of seven emirates. These are Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and um Al Quwain. The country has three internationally oriented data protection regulatory systems.
The most recent is the UAE Data Protection Act 2021. It is far-reaching, but does not apply to the UAE government or government organizations. The UAE Data Office, the data protection authority, is still under construction. Rules, regulations and guidelines will be published shortly to clarify and expand the law. These updates and clarifications could be announced in a relatively short period of time, forcing companies and organizations to closely monitor developments. On August 1, 2019, Bahrain`s Law No. 30 of 2018 promulgating the Data Protection Law (PDPL) came into force in the Kingdom. Inspired by European Union data protection laws, the PDPL is the second national law in the Gulf region to directly address the right to protection of personal data and impose obligations on companies that collect personal data regarding how organizations use and secure it. There is no need to appoint a data protection officer.
The law introduces enhanced rights for data subjects, such as the right to access their data, the right to be informed of data protection notices, and the right to rectify or delete their personal data. Egypt published a Personal Data Protection Law in July 2020, which regulates the right to personal data protection and grants individuals several rights. Unlike the EU`s GDPR, which acted as an update and harmonization of the legal framework for data protection, the PDPL marks a completely new approach and poses challenges for companies operating in Saudi Arabia. The Kingdom of Saudi Arabia introduced its first Personal Data Protection Act (PDPL) by Royal Decree in September 2021. It was followed, in March 2022, by a draft implementing regulation on the interpretation and extension of the PDPL. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA). The PDPL will enter into force on 17 March 2023 (postponed from 22 March 2022). The law reflects key elements of international data protection principles, the EU GDPR and reflects various data protection laws in the Middle East. Privacy and Personal Data Protection Act No. 13 of 2016 (PDPPL) provides a comprehensive data protection framework for Qatar at the federal level, with the Ministry of Transport and Communications (MOTC) acting as the federal regulator. The laws of ADGM, DIFC, Qatar and Bahrain also require the appointment of a data protection officer for all companies that handle sensitive data or large amounts of data.
Laws do not require this role to be filled by an employee, so organizations that don`t have the in-house expertise, bandwidth, or budget to appoint an internal DPO have the option to outsource the role to an external expert. In all cases, the DPO must have a thorough understanding of the full scope of the data protection laws under which the Company is bound and experience in designing, executing and managing global data protection programs.