The document discusses privacy laws and trends in the Middle East and North Africa region. It summarizes key privacy laws in Egypt, Israel, Saudi Arabia, Turkey, and the United Arab Emirates and compares them to the EU GDPR. While there are some similarities, such as requirements for data protection officers, there are also differences like stricter data localization and limits on legitimate interest processing. The document advises businesses to consider a global privacy program or localized compliance approaches to address the complex legal landscape across different countries and regions. It promotes adopting a continual improvement model based on ISO 27701 to help manage privacy compliance.
3. 3
3
Agenda
âą The key components of Egypt, Israel, Saudi Arabia, Turkey and United Arab Emirates privacy laws
âą The similarities and differences with the other global regulation like EU GDPR
âą The implications to your business
5. 5
5
Most of the World has Privacy and Data Protection Laws
Source: TrustArc/Nymity Research and Alerts
6. 6
6
Law on
Protection of
Personal Data
(LPPD)
Protection of
Privacy Law
(PPL)
Personal Data
Protection
Law
(PDPL)
Protection of
Personal Data
(PPD)
Personal Data
Protection
Law
(PDPL)
5 MENA Laws to Focus on Today
9. 9
9
Turkey LPPD v. EU GDPR â Key Differences
Data Controller
Representative
Foreign data controllers
must register in the Data
Controller's Registry
System ('VERBIS') prior to
processing personal data.
1
Database
Registration
Foreign data controllers
must appoint a data
controller rep in Turkey.
2
Consent
Explicit consent for both
non-sensitive and
sensitive categories â
yet stops at freely given
and informed.
3
Data Protection
Officer
A DPO is not required.
4
Law on Protection of Personal Data No. 6698 ("LPPD")
Enforcement Date: 2016 Authority: Personal Data Protection Authority (âKVKKâ)
10. 10
10
Israel PPL v. EU GDPR â Key Differences
Data
Transfers
IPA requires select
databases to be registered
with the Database
Registrar prior to data
processing activities .
1
Database
Registration
Data transfers from Israel
to a sub-processor may
violate PPL in some
circumstances.
2
Data Security
Officer
DSO is required if you
possess 5+ databases
with personal data that
engages in systemic
scoring or evaluating
personal credit.
3
CyberSecurity
Greater emphasis
around security in
general.
4
*New Bill number 11 (January, 2022) has PPL amendments to modernize and further align with EU GDPR today.
Protection of Privacy Law 5741-1981 (âPPLâ)*
Enforcement Date: 1981 Authority: Israel Privacy Authority (âIPAâ)
11. 11
11
Egypt PDPL v. EU GDPR â Key Differences
Data
Transfers
No company can lawfully
collect any personal data
without a license and the
approval of the DPC.
1
Processing
License
Data transfers outside
Egypt are prohibited unless
adequacy of data
protection or with an
approved license issued by
DPC.
2
Data Protection
Officer
Controllers and
processors must appoint
a DPO (an employee)
and register with DPC.
3
Individual
Rights
Narrower individual
rights; may charge a fee
for access; no
portability; 6 days to
address DSARs
4
Personal Data Protection Law No.151 of 2020 (âPDPLâ)
Enforcement Date: 2020 Authority: Data Protection Center(âDPCâ)
12. 12
12
Saudi Arabia PDPL v. EU GDPR â Key Differences
Data
Localization
Requires all controllers to
register in the electronic
national register; maintain
a record of its processing
activities on the national
register; fee likely.
1
Processing
Registration
Data of citizens and
residents must be kept
local except in life or death
situations.
2
Data Protection
Officer
Controllers must appoint
a DPO (an employee)
and register with SDAIA.
3
Individual
Rights
Expanded sensitive
personal data includes:
criminal history; credit
data; location data.
4
Personal Data Protection Law (âPDPLâ)
Enforcement Date: March 2023 Authority: Saudi Arabian Data and Artificial Intelligence Authority (SDAIA)
13. 13
13
United Arab Emirates PPD v. EU GDPR â Key Differences
Breach
Response
Controllers are required to
include the data of the
persons authorized to
access the personal data.
1
Processing
Registration
Stricter breach notifications
â notify data subject
immediately upon
awareness.
2
Processing
Legal Basis
Does NOT allow for
processing based on the
legitimate interests of a
controller or a third
party.
3
Individual
Rights
No privacy notice
requirements.
4
Federal Law No. 45 of 2021 - Protection of Personal Data ("PPD")
Enforcement Date: January 2022 Authority: UAE Data Protection Authority ("DPA")
14. 14
14
Legitimate Interest
Limitations
Data Protection
Officers Required
Direct Marketing
Depends on Explicit
Consent
Summary of Common Trends in MENA Regulations
Stricter Cybersecurity
& Breach
Expectations
Data Processing
Registrations
Common Place
Data Inventories May
Not Be Required But
ROPAs are Expected
17. 17
17
One Global Program or Individual Local Compliance?
Pros and Cons
Global Privacy
Management
Program
A single way, often utilizing a
global âgold standardâ to
data protection based on EU
GDPR and an continual
improvement framework
Localized Data
Protection Laws
Localized and speciïŹc
programmes complying to
individual country and state
laws, often applying
minimum standards, and
leading to ïŹexibility but
lack of connectivity.
18. 18
18
Plan Do Check Act - Privacy Management Model
ISO 27701
ACT
Corrective and Preventive
Improvement Actions
CHECK
Measure, Monitor, Audit,
Feedback, Review
DO
Deliver products and
Services
PLAN
Plan our delivery, including
Risk Management and Impact
Assessments
Continual
Improvement
Cycle
1
Requirements
and
Expectations
Of
stakeholders,
legal,
regulatory
and
other
concerns
2
Managed
Delivery
Of
Products
and
services
to
your
stakeholders
21. 21
21
Thank You!
See http://www.trustarc.com/insightseries for the 2022
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.