A guide published by Marsh, a business of Marsh McLennan (NYSE: MMC) and the world’s leading broker and advisor, with global law firm Clyde & Co, urges organisations in the Middle East to make meaningful change to protect their businesses from long-term consequences amid the ride in data breaches and cyberattacks.
With an increased push across the region to strengthen cyber protection and to align with international best practices, some regional jurisdictions are issuing new, standalone data protection laws for the first time, while others are updating existing laws to align with international standards.
Some recent regional developments include that the UAE, KSA, Oman, Jordan and Egypt have issued standalone personal data protection laws, which are at varying stages of implementation and practical application. Similarly, Qatar and Bahrain have updated their already existing laws to align with international best practice. Kuwait has also issued a new data protection.
“It is imperative that organisations keep abreast of rapidly evolving legislation that impacts how they collect, process, transfer, store, and use data,” says Simon Bell, Managing Director, Cyber Practice Leader, IMEA, Marsh.
“With the increasing globalisation of many organisations and the fact the impact of cyber incidents can often span several jurisdictions, notification obligations may be triggered in several countries at the same time. Our new guide provides a comprehensive overview of recent developments in the Middle East and the main incident-related notification obligations for data controllers and processors.”
Bell highlights that the ‘Middle East Data Protection Guide’ includes a three-step action plan for companies getting to grips with the new legislation. In terms of the plan, companies need to establish a data protection framework, implement relevant controls, and educate their teams on a regular basis.
“We are at a real turning point for data protection legislation in the region”, said Olivia Darlington, Partner & Middle East Cyber Insurance Lead, Clyde & Co. “Historically, the data protection laws across the GCC countries and the wider Middle East have been spread across a patchwork of legislation and there has been limited enforcement of those laws”.
“The new and revised standalone data protection laws across the region provide prescriptive requirements for compliance and a clear framework for enforcement, which means that local organisations will have to move data protection compliance to the top of their list of priorities. Likewise, due to the extra-territorial effect of the laws, international businesses which operate in the region, will need to be on top of the changes to avoid being penalised by the local regulators.”