Blog | comforte

Data-Centric Security and Local Data Protection Laws in MENA

Written by Thomas Stoesser | Apr 21, 2022

For today’s organizations, data security isn’t just a matter of mitigating financial and reputational risk. There are also major regulatory compliance hurdles to clear in virtually every jurisdiction. Understanding these competing requirements can be a complex, time consuming and expensive endeavor—especially for multi-nationals with outposts in many countries.

Perhaps among the least well understood regions is the Middle East and North Africa (MENA). Impressive GDP growth predictions of 5.2% in 2022 and 4.6% in 2023 might be attracting new investment in the region. But businesses must also be aware of the implications of processing the personal data of citizens and residents in MENA countries, even if they don’t have offices there.

To that end, here’s a quick breakdown of the key data protection laws in three major MENA markets: the United Arab Emirates (UAE), Egypt and Saudi Arabia.

An opportunity to grow

The EU General Data Protection Regulation (GDPR) is the progenitor of most new data protection laws that have sprung up around the world since it was rolled out in early 2018. Some are very similar to the regulation, others less so. Ideally, compliance should be treated not as an obligation, but an opportunity to enhance customer trust and provide a firm foundation for digital transformation and growth.

Egypt

Egypt’s Data Protection Law (law no. 151 of 2020) came into force in October 2020, although organizations have a further 21 months grace period from this date to get their house in order. It applies to any data controller or processer managing personal data, and all personal data except for that handled by the Central Bank of Egypt. The data of non-Egyptians living in the country is also in scope. Key principles of the law align with the GDPR, including data minimization, accuracy and security, lawfulness and storage limitations.

Also like the GDPR, all breaches must be reported within 72 hours of discovery, dropping to 24 hours for incidents affecting national security. Companies failing to appoint a Data Protection Officer (also a GDPR requirement) could be fined two million Egyptian pounds ($109,000 USD), but there are lower fines for other infractions, such as processing personal info without the consent of the data subject. However, minimum prison sentences of three months are also possible for various offenses.

The United Arab Emirates (UAE)

The UAE Personal Data Protection Law took effect on 2 January 2022, but the expectation is that businesses have until September 2022 to ensure they’re compliant. It applies to any private business processing personal information of UAE nationals and residents, whether they’re based inside or outside the country. Similarities with the GDPR include the concepts of “personal data,” “sensitive personal data,” “controllers,” “processors” and “consent.” The law also shares the GDPR principles of fairness, transparency and lawfulness, purpose limitation, data minimization, accuracy, security and confidentiality, and storage limitation.

However, unlike the GDPR, there’s no justification for processing personal data according to “legitimate interest.” Instead, it’s expected that consent will be obtained from individuals unless exceptions apply, such as that data processing is necessary to protect the public interest, defend a legal claim, protect the interests of the individual, fulfill UAE legal obligations, or perform a contract. Breaches must be reported to the UAE Data Office of Personal Data Breaches “immediately on becoming aware” of them. There’s no information yet available on how large financial penalties will be under the new law.

Saudi Arabia

The kingdom’s Personal Data Protection Law came into force on March 23, 2022 although organizations will have a year’s grace period. It applies to all Saudi nationals and residents and applies to businesses outside the country processing the personal info of these individuals. There are similarities to the GDPR, including the definition of personal data and how it can be used, processed and retained. Foreign companies processing Saudi citizen and resident data must also appoint a local licensed representative.

However, like the UAE, the Saudi law requires “immediate” breach notification to the Saudi Data & Artificial Intelligence Authority (SDAIA) and data subjects. There are also stricter rules governing data transfers outside the kingdom. Fines top out at five million riyals ($1.3m USD), and some infractions could lead to imprisonment of up to two years.

Why data-centric security?

GDPR and its regional variants were intended to empower consumers and drive increased confidence in brands. With consumer trust in global brands at rock bottom, there’s a greater need for this approach today than ever. Viewed through this lens, compliance with local data protection laws can actually be a driver of business growth, rather than simply a mitigator of financial, reputational and regulatory risk.

The good news is that a data-centric security strategy can take a lot of the pain out of data protection compliance—in MENA and elsewhere. Rather than try to secure data at the perimeter, which can be ineffective against many modern cyber-threats, organizations should encrypt or tokenize it. This makes any data unreadable for attackers, even if they do manage to access it. By ensuring they have a continuous process in place for data discovery, classification and protection, organizations can reduce much of the risk associated with compliance in an increasingly complex global regulatory environment.

Encryption and pseudonymization are the only two data security controls mentioned by name in the GDPR. It makes sense to start any data compliance strategy here.