Depending on which side of the fence you are sitting, countries are either attempting to achieve an ambitious global highwater mark, or they are simply responding to the extra-territorial requirements being imposed by the EU. These will impact the cross-border data transfers that facilitate the international trade in goods and services. These commercial realities, apprehension over government surveillance, concerns with surveillance capitalism (commodification of personal data) and – importantly in the Middle East – increased customer and consumer privacy expectations, are all driving these regulatory developments. In short, people tend not to adopt technology that they do not trust, and privacy sits at the heart of this ongoing digital “trust” debate. Irrespective of the reason (which is typically multifaceted), we are finally seeing an elevation of the subject of privacy into our boardrooms across the globe.
There have been a few updates to existing data protection regulations in the Middle East, but many jurisdictions with no previous comprehensive data protection law in place are also seeking to establish a national law for the first time. Examples include the UAE, Saudi Arabia, Kuwait, Oman and Jordan. Whatever the reason, it is worth acknowledging that the privacy bar is being set high for jurisdictions with no national data protection regimes in place. This is a revolution rather than an evolution, especially in a region like the Middle East, where public consultation, and therefore visibility into coming legislation, can be limited. It means that the time available to ensure compliance is oftentimes very challenging after the release of a new law.
The Changing Data Protection Landscape
Countries in the Middle East with no national data protection law do rightly point to constitutions and the existing patchworks of penal, cybercrime and industry-specific regulations that contain privacy and confidentiality requirements. There may be exceptions, but it is probably not unfair to assert that the enforcement of these privacy and confidentiality provisions has generally been poor. Much of the activity in our region appears to revolve around defamation scenarios. What I am able to confirm is that my own experience as a consumer in the UAE does not paint a pretty picture. For example, I had one large multinational insurance company’s agent send me an unsolicited email with a fully completed healthcare application for my entire family using the details he presumably stole from a previous employer. This is not uncommon in the region.
I have addressed the subject of enforcement previously in a blog titled “What a seatbelt can teach us about data protection enforcement?” The point I am hoping to make here, briefly, is that without the threat of enforcement with financial or reputational impact, or what we refer to as risk more generally in a legal and corporate governance context, it is probably unrealistic to expect small and medium-sized businesses to prioritise the development of functional privacy programmes governing the collection, use, sharing, storage, and deletion of personal data.
Even in jurisdictions in our region with existing data protection laws (and there are several), the likelihood is that most companies, barring multinationals with global programmes, have not gone much beyond the publication of a privacy notice on their website and a few internal policies. This tick box exercise is unfortunately akin to copying a security policy and purchasing a security product to deliver authentication technology and then not implementing the technology or monitoring the results. The standalone policy is not going to mitigate the risk of the next ransomware attack, even if it ticks the box from a regulatory compliance perspective.
I am also aware from a past life that some of the largest private sector and government organisations in the region have been successfully targeted by persistent threats and breached. This is often for an extended period and without their knowledge until bad actors “detonate” on the way out. An investigation into that incident will often uncover additional bad actors still present within the network and these hackers will often have stolen privileged credentials granting access to confidential data. And yet very rarely are customers and the wider public informed about these breaches in the region. If ever. I fully appreciate that no supervisory authority or court likes to “name and shame”, but in my opinion, enforcement is not only meant to punish poor behavior. It should be used as a tool to create wider deterrence for the common good. This is why publicity is so important. It creates risk.
It is for this reason that comprehensive national data protection regulations based on GDPR-inspired principles like accountability, transparency and fairness are so vital. Customers and consumers need to be made aware when their personal data is stolen. Custodians of that data need to be held accountable. And transparency and a duty to report data breaches and inform data subjects (when appropriate) will accelerate the adoption of sensible privacy and data protection best practices. This will contribute to the ongoing creation of comfort and trust in the region beyond our borders and this is good for business.
I do acknowledge that we should remember that business leaders are generally deciding which regulatory risks to mitigate – as a priority. Many smaller businesses will feel overwhelmed. This all makes the sudden local regulatory developments, the extra-territorial impact of these new regulations driven by Europe, and the focus on accountability and compliance incredibly daunting for the average business across the Middle East. Many are still standing behind the start line of their privacy programme journey.
Privacy is going mainstream
If you are not a privacy professional, you may ask: “What has changed?” It was not that long ago that corporate governance and cybersecurity were not boardroom discussions. Now they are. The same is true for the evolution of data governance. Initially data governance was about gathering accurate financial data to ensure that senior executives could fulfil new corporate governance obligations. Now data is used to make strategic business decisions and to deliver on key business objectives. The importance of maintaining the confidentiality, integrity, and availability of data – the so-called CIA triad – is appreciated by most senior executives. In other words, data governance has now gone mainstream, and I would argue that we are on the cusp of privacy following on the heels of the corporate governance and cybersecurity domains as a key responsibility for C-suits and boardrooms across the Middle East.
Why, you may ask, is this happening now? In short, because consumers (B2C), commercial customers (B2B), partners and governments are beginning to care more and more about privacy, especially as we intentionally reason over personal data to personalise product offerings and services and commoditize data. Concerns understandably increase as we begin to do so at a scale only made possible by new technologies like hyperscale cloud computing and AI. This is true irrespective of the size of the organisation, because big data and AI are no longer only the domains of large enterprises or governments because everyone can now access these technologies. The growing FinTech startup community in the region is a perfect example.
The Supply Chain Trend
What we have also seen over the past few years is how multinationals, led initially by the US tech giants, have now implemented a global highwater mark of GDPR in countries where the requirements may not even exist yet, extending “the rights that are at the heart of GDPR to all consumer customers worldwide”. They position privacy and a trust narrative as a competitive advantage, or internally as a tool to accelerate the adoption of new technologies by hesitant customers. These companies also place significant focus on ensuring employees appreciate the role that privacy will play in the company’s future success. This all talks to company culture.
One consequence of this trend is that larger local enterprises are now following suit, raising their own privacy ambitions, making promises to customers and partners, and starting to operationalise their own privacy programmes. And importantly, a key element of this privacy revolution involves a focus on enhanced supply chain management as modern data protection regimes hold “data controllers” accountable for the actions (or lack thereof) of their “data processers” when it comes to the processing of personal data.
Accountability is very much the new buzzword in global data protection circles as it shifts the burden of proof from regulators having to prove a lack of compliance by organisations, to those organisations having to demonstrate to regulators that they are compliant. Documentary proof has therefore become central to any data protection compliance, and data processing agreements (DPAs) imposing obligations on supply chain partners are less likely to be tick box exercises in future.
This supply chain compliance theme is not a new trend. We saw something similar with cybersecurity. As larger companies improved their own security and compliance postures, bad actors were quick to realise that exploiting supply chain vulnerabilities often became the weakest link and most effective entry point. Ask the US retailer Target how stolen credentials from a refrigeration contractor were purportedly used to gain access into Target and ultimately to customer credit card details.
The similarities between the cybersecurity and privacy domains are clear, as is the impact. Small and medium businesses are now being tasked by their larger customers with the implementation of functional privacy programmes to maintain their continued vendor status. Make no bones about it, an adequate privacy programme will become part of the partner vetting process for many of the region’s marque brand names. It will also likely be part of the due diligence exercise carried out by prospective investors or during mergers and acquisitions.
And GDPR is just the start. The global trend towards monitoring compliance with data protection and privacy regulations is gaining momentum. This is what is causing much of the noise regarding privacy compliance in the Middle East. The 2018-era scaremongering about GDPR fines is still relevant today, as are some of the penal and personal liability risks included in certain data protection regimes in the Middle East, but I would suggest that the threat of losing your well-established business critical contracts, or of having your data flows across national borders stopped by regulators, could literally become an existential threat to any business in a data driven economy.
The rise of compliance – as a risk
As I mentioned above, it was not that long ago that corporate governance and cybersecurity were not boardroom discussions. Now they are. Privacy is going mainstream, and with it we are also seeing the rise of privacy compliance risk. I need to be clear what I mean when I say this. We have historically had regulations implemented in response to a risk. A good example are the cybersecurity regulations that have been imposed across the region, like the UAE’s Information Assurance Standards (IAS), the Dubai Government’s Information Security Regulation (ISR), or the Saudi National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC). These typically require the implementation of policies, processes and controls to address and mitigate cybersecurity threats.
What I am suggesting is that it is not only the cyberattack itself that is now viewed as the risk, but also an organisation’s ability to demonstrate compliance with a particular regulation, like the IAS or ECC, to the relevant supervisory authority. You have the risk of the incident, and the risk of being caught having not adequately prepared or managed an incident. This is the compliance risk. We will see something very similar with data protection, not least because of the global focus on the principles of accountability and transparency, and the increasing pressure being put on regulators to act and enforce those regulations. This is top of mind in the EU right now.
In addition, many Middle East jurisdictions talk about achieving EU “adequacy” status in relation to privacy because it facilitates wider commercial ambitions and the ease of doing business, but I suspect that this will not be achieved if local regulators are not seen to be enforcing their regulations to ensure that adequate protections are being afforded to EU data subjects.
Much of the momentum around data protection in the Middle East will be driven by the desire to pursue regional and global commercial opportunities. These include continued access to existing markets or to new growth markets, facilitating the opportunity to win new strategic customer deals, or because global data protection obligations are being extended across borders to the supply chain ecosystem in the region. There is no longer only a risk of a data breach involving stolen personal data, but a genuine risk of being held accountable, or of being excluded from commercial opportunities. The rise of data protection compliance as a risk is upon us.