The aftermath of Storm GDPR in MENA

By Rami Wadie, Kuwait

 

WHAT HAS THE IMPACT BEEN ON MIDDLE MARKET BUSINESSES IN THE AFTERMATH OF ‘STORM GDPR?

Given that the MENA region was not directly impacted by the GDPR, and since regulators, especially central banks, play a crucial role in directing regulated entities, a small number if any were compliant by 25 May 2018. Any other entities were simply in a state of transit observing and seeking guidance from regulators. In short, the GDPR was implemented at a very low profile. 

For the organisations who were not ready, many were observing and not taking the initiative to comply. Certain organisations, although not required to comply, adopted all or part of the GDPR requirements as a good business practice and to ensure counter-party trust.

WHICH OF THE GDPR PRINCIPLES HAVE BEEN MOST CHALLENGING FOR BUSINESSES?

A typical challenge is identifying, classifying and securing personal data. The reason is mainly due to little or lack of information and data security investment, leaving organisations vulnerable and exposed.

GDPR AND FINDING OPPORTUNITY IN CHANGE

There is always a positive to every challenge. With the need to prove compliance whether mandatory or discretionary, organisations are likely to embrace leading information security and data privacy practices.

Implementing an ISMS (information security management system) that is certified to the international standard ISO 27001 will likely enable organisations to:

• Avoid financial penalties
• Protect information and intellectual property rights
• Protect reputation
• Satisfy audit and regulatory requirements
• Gain competitive advantage with new and existing clients
• Build global trust

​“Certain MENA organisations, although not required to comply, adopted all or part of the GDPR requirements as a good business practice and to ensure counter-party trust.”

WHAT IS ON THE HORIZON FOR DATA PROTECTION?

While currently there are no official GCC (Gulf Cooperation Council) laws governing data protection and privacy, technological advancements such as cloud-based personal data storage, would imply that the GCC would have to embrace the idea of adopting a robust data protection regime to continue as a strong competitive and attractive global contender. 

Furthermore, there is an increasing number of data security laws and regulations in the GCC countries that organisations must be aware of and potentially, comply with.

Recent technological developments across the region suggest that regulators and authorities are becoming aware of the challenges of data privacy, which may have implications for the Middle East.

An example of a new data protection regulation recently rolled out in the Gulf. The Bahrain Personal Data Protection Law No. 30 of 2018,  was published on 19 July 2018. Entities subject to the law in Bahrain must prepare for its full implementation by August 2019. 

Additional laws are Qatar’s DPL (Data Privacy Law), and the UAE’s Cybercrime Law, which would likely motivate other countries in the region to follow-suit. In Saudi Arabia, there is now a freedom of information and protection of private data law under review. This indicates another step in the direction of personal data protection. 

Organisations are taking serious and crucial steps to embed compliance and transparency within their cultures. Through a positive and active demonstration of transparency and compliance, brings a greater trust in the brand. 

For more information on the GDPR legislation, and advice on any relevant GDPR training, please contact us.