Over the course of 7 short days in September of 2021 both the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA) announced the introduction of modern privacy regulations. The decision from the twin wealth capitals of the Middle East represents a substantial change in regional data management regulation for thousands of companies, millions of residents and over one trillion dollars in GDP.
Bahrain was the first in the region to announce (Law No. 30 of 2018) and subsequently adopt (August 2019) a set of modern privacy laws. The island nation provided organizations operating across the region a critical opportunity to put in place a privacy program and adapt to new requirements albeit on a smaller scale.
Neither the UAE’s data law (DL) nor KSA’s personal data protection law (PDPL) is expected to rise to the complexity or detail of the EUs GDPR. Europe developed its data protection regime over the course of four decades starting with the OECD principles in the late 70s.
How does this impact your business?
Businesses will be expected to provide consumers with a set of privacy rights that fall into three categories: informative, corrective and restrictive.
- Informative rights, such as the right to access or portability, these rights require organizations to provide the individual with a copy of their personal data.
- Corrective rights, such as the right to rectification or erasure, these rights provide individuals with the opportunity to update their records or, at the extreme, delete them entirely.
- Restrictive rights, allow individuals to control how their data is used. This may be in the form of opting-out from the sale of their data or having their data shared with a third party.
In addition to privacy rights, consent and preference management will become more regulated, this is expected to impact direct marketing in large part as organizations across the region have grown accustom to contacting consumers through purchased or shared lists with little or no explicit consent.
What should businesses do to prepare?
Organizations should start with a data sanity exercise.
- Discover what information is held on customers and prospects,
- Only collect information needed for a defined purpose (data minimization),
- Identify whether the information was sourced direct from consumer or through a third party (data lineage),
- Associate the purpose for which the data was collected with its future use. (purpose limitation),
- Delete information that is no longer needed or required by law.
These initial steps will allow organizations to support consumer privacy rights and develop trust with their clients.
At the time of publishing, details regarding fines and regulatory sanctions were not yet available. We expect that individuals will be able to easily raise complaints against offending businesses who will subsequently be investigated and potentially sanctioned by the relevant data protection authorities.
For further details regarding the requirements and the tools available to develop a modern privacy program, please review the Market Guide for Consent and Preference Management and the Market Guide for Subject Rights Request Automation.