It is not an overstatement to say that data privacy is one of the hottest topics on the minds of business leaders around the globe today. The need for businesses to go digital is stronger than ever, and this rapid pace of transformation poses more risks to the ‘right to privacy’ than we have seen since the UN proclaimed it to be a universal human right in the 1940s.
In response to the implications of advancing technology on data privacy (eg facial recognition, artificial intelligence (AI), tracking apps etc), many countries have published their own legislation, which has also had a major impact on the data protection landscape of the Middle East.
After the introduction of the European General Data Protection Regulation (GDPR, commonly regarded as the gold standard in data privacy legislation), those with the strongest economic ties to the EU have taken a proactive approach to data privacy. Since then, we’ve seen many other countries following suit with various national and sectoral data protection laws.
On 15 July 2020, Egypt also joined the exclusive club of Middle Eastern countries with national data protection laws, publishing the Personal Data Protection Law (Law No 151 of 2020). Coming into force on 14 October 2020, the PDPL brings a wide range of new obligations for businesses.
What’s new?
The PDPL will not come as a shock to those who are familiar with the GDPR, as its main principles tie up with the spirit of the European regulation. The key difference is in the practical implementation of the principles, and the variation in terminology. Here are some of its key takeaways:
- Lawful basis for processing
One noteworthy difference between the GDPR and the new Egyptian legislation, is that the PDPL provides a list of permissible lawful bases for processing personal information that can be replaced with the explicit consent of individuals.
- Individuals’ rights
The new law sets out six individual rights, including the right to be informed, to access, to rectify data, to withdraw consent, to limit scope of processing, and to object to processing that contradict the fundamental rights and freedoms of the individual. Further to these six rights, the PDPL provides strict requirements for digital marketing.
- Sensitive personal data
The definition of sensitive personal data is also very similar to the GDPR. Data that is related to the individual’s psychiatric, psychological, physiological, genetic health condition, financial situation, religious beliefs, political opinions and criminal/security history, is all considered sensitive information. In addition to these, any data relating to children is also considered to be sensitive personal data. Organisations may need licence from the Personal Data Protection Centre (the Authority) to process both personal and sensitive personal data.
- Data breaches notification
Any data breach needs to be disclosed to the Authority within 72 hours. If the breach relates to national security protection considerations, the notification shall be immediate. Organisations need to notify the individuals about their data breach within three days.
- Cross-border transfer of data
Cross-border transfer or sharing of personal data is prohibited, unless the country guarantees a level of protection for personal data that does not fall below the requirements stipulated under this Law, and subject to obtaining a relevant licence from the Authority. Additional guidance on this front is expected in due course.
- Data Protection Officer
Organisations are expected to appoint a Data Protection officer (DPO). The DPO will be responsible for the application of the provisions of this Law within the organisation. Details of the DPO need to be registered with the Authority.
- Penalties for non-compliance
The provisions for administrative fines and criminal penalties for non-compliance are severe. The fines could be up to EGP 5m with potential sentence of imprisonment of more than six months.
What you can do to prepare
To comply with the law, businesses need to take a holistic approach and implement a privacy programme that focuses on satisfying the regulatory obligations in a way that supports the overall business strategy. It is therefore essential for businesses to implement the following ten steps:
- Appoint a DPO, define roles and responsibilities for data privacy and provide appropriate training to your staff who process personal data.
- Prepare the list of data processing activities performed in your organisation.
- Notify purpose and seek consent, whilst also implementing consent management procedures.
- Review the individual rights and ensure that you fully understand the business impact of each. Respond when individuals ask about their personal data.
- Review technical controls present in your organisation, to ascertain whether they are fit for purpose and support data protection requirements.
- Establish processes, policies and procedures to enable an efficient data processing, and compliant digital marketing.
- Establish data breach management process to detect, investigate and report possible personal data breach to the Authority.
- Evaluate your contracts with data processors to meet PDPL requirements. The risks introduced to the data by third parties should be well understood and managed.
- Review your cross-border data transfer mechanism. Protect your personal data when transferring overseas. Apply for a license (if applicable).
- Communicate your data protection policies, practices and processes.
Nabil Diab is a Partner for Assurance services at PwC Middle East