🔒 Data Privacy Developments in the Middle East
Cloudflare is recognizing Data Privacy Day 2022 with a special series of fireside chats. This session features Ben Crew, in conversation with Tilly Lang, Cloudflare Senior Counsel, Privacy.
Ben Crew is Senior Director at FTI Consulting, a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional.
Ben is an accomplished privacy & information governance professional with experience across multiple industries and clients, project types and business disciplines. He has worked in a range of consultancy and program delivery roles, with both internal and external clients across Europe, the Middle East and Africa.
Happy Privacy Day and I'm very excited to have Ben Crew here with me. My name is Tilly Lang and I am the Senior Privacy Counsel here at Cloudflare.
And Ben, I'd like to pass over to you for a quick introduction to yourself.
Well, first of all, as you said, Happy Privacy Day, everyone.
And Tilly, thank you for inviting me to join you on this.
It's going to be interesting talking about what's going on in the Middle East.
I head up the Information Governance and Privacy Practice for FTI Consulting for the Middle East.
I've been out here the best part of 15 years now, so I've seen quite a lot of change in that time.
And none more so than over the last year.
And it's getting very, very busy for everyone here. I bet. And because it's International Privacy Day, I mean, I'd like to start off with a question in terms of how did you start your career in privacy?
So in a previous life, I had been doing regulatory projects for various institutions.
And in 2016, I got a call from a company here saying, we don't suppose you know anything about this thing called the General Data Protection Regulation, do you?
Because, you know, we've got this project and we need to put it in.
I was like, no, but I know about regulatory projects.
I know about delivering projects. So I'll give it a shot.
And I've not looked back since. Privacy is very unique and it's very distinct from any other regulatory type of project.
It's much more dynamic. Personally, it's a lot more fun.
That's probably because I'm a bit of a privacy geek.
But anyway, yes. Yeah, I have to admit my sort of journey into privacy is a little bit similar in terms of I was doing a lot of corporate governance work.
And then sort of the privacy aspect kept on creeping more and more and more into it, especially sort of back in 2016 when the when the GDPR, the draft GDPR kind of came out and then obviously gearing up to when it was in force in 2018.
So very similar. And I think just following on to that, I mean, what's what do you what do you enjoy about working in privacy and what do you think the challenges are?
So what I love about it and what the challenges are, I think are very similar.
I love the fact that it is completely different for any for every company globally.
It's it's different for each jurisdiction that you're in.
You've got different nuances. Every company faces the same challenges, but no company faces exactly the same challenge.
And even within the same company, you have something happening differently from one jurisdiction to another.
You've and there are so many different aspects to it from breach preparation through to your everyday DISA requests to how do you actually make sure that what you are doing the right thing with vendors?
There's the legal element, there's the ethical element, there's the operational element, there's the HR element.
It's just all encompassing. And you learn even my role.
I've been doing this a while. Every day you are learning something new.
No, I completely second that. And I think one of the things I really enjoy about working in privacy as well is being able to kind of work with different stakeholders in the business as well and sort of having those discussions about privacy, because, as you say, privacy is all encompassing.
And it's important that all sort of all functions of the business sort of know about privacy and there's awareness of it.
So I think that's part of our key role as well. Perfect.
I think I think it honestly is driving positive change in people's attitude in corporate attitudes on how they how they treat data and people's expectations.
Now, it's so much higher than it was five years ago, 10 years ago. And people have have rights now that they never knew existed all those years ago.
It's just great that they do have those rights now.
Yeah, no, absolutely. And sort of on the back of that, I was just wondering if you'd be able to give us a bit of a background in terms of the growth of data protection in the Middle East and kind of where we are, where we are today.
OK, so I'm going to start by saying that there was a popular misconception that until recently there were no data privacy laws or data protection laws in the Middle East.
In fact, it's enshrined in the constitution, the UAE constitution, that every person has a right to privacy.
So that's a 50 year old document.
Now, just over time, it's grown and as the UAE has become more corporate, it's failed to or did fail to evolve the corporate structures to protect people in the same way that the constitution initially prescribed.
So a few years ago, we had the first consumer protection bill come in, which was a good first step.
Then we had the ADGM law coming in 2015, which has actually only very recently got updated.
And for those of you that know GDPR well, you can read that and spot a lot of similarities to that.
DIFC had its first data privacy law around the same time, and then in 2020, they updated theirs.
And again, that's very, very much based on the GDPR.
Lots of lots of similarities, a few key nuanced differences.
It does recognize AI as and has evolved to how to deal with AI and machine learning.
How do you deal with data privacy in that aspect? And then just at the end of last year, we had the personal data protection law passed.
And that is, we'll talk about it a bit more later on in detail.
But again, for those that know GDPR, it's definitely got its basis in that.
And there are a few fundamental changes.
And around the region, you're seeing other similar laws being passed.
Saudi Arabia has just passed theirs, the Sadia data privacy law. Qatar is updating theirs, their law as well.
Bahrain already has. So we're starting to see it becoming more prevalent across the region.
Good, and I'm sure it's exciting times as well, sort of for you and the organization.
But sort of what strategic advice would you give to organizations in particularly preparing sort of for the UAE law, but also generally in the region as well to make sure that their privacy programs or business functions are in line with the laws?
So there's probably three key elements for me.
And the first is an overarching and it's do not underestimate how much work this is going to be for your company.
These are for the GDPR companies had two years to become compliant with the law.
And there was already the data privacy directive in place in the EU at the time.
Companies here have six months now, eight months to become compliant with this.
It really isn't a lot of time. So number one is do not underestimate how much effort this is going to be.
Number two, understand your processes.
Companies need to understand exactly what processes are touching personal data, what they're doing with it, what protections are happening with it.
Without understanding what your processes are, you stand no chance of actually controlling data within your environment.
Which actually brings me to the third point, which is understand your data and get some information governance in place.
The number of companies that actually don't know what data they're holding, they don't know where it's being held, they don't know who it's being shared with, they don't know how long you've had the data.
And you definitely don't know what permissions you've obtained from people beforehand.
So like with GDPR, when that came in and you saw a flurry of companies contacting you saying, you've previously provided us with your consent, please confirm your continued consent.
Companies need to be thinking about doing that sort of thing, identifying who the individuals are, identifying where you're sending the data.
These are big, big pieces of work.
And they are going to take time and companies are going to need help doing it.
Seriously, any companies listening out there, I would do two things.
One, engage an external counsel, somebody who knows about data privacy to actually help you redrafting your vendor agreements, redrafting your employee contracts.
The other thing I'd do is actually get a specialist firm like us who actually do this every day and know how to help you become compliant.
And I think as well, sort of, it's important to note that sort of with building up a privacy program, there are a lot of different sort of aspects.
And as we've noted and talked about before, these laws aren't sort of a copy and paste of the GDPR and there are sort of nuances in the law.
So it'd be interesting just to hear a bit about sort of the similarities between, if there are any, or the nuances between the Middle Eastern laws and GDPR.
Certainly. So let's start with the UAE and the UAE personal data protection law.
If you look at the processing principles, they are identical to those of GDPR with one slight difference, which is that there is no right for companies to process data according to legitimate business interest.
Now, companies globally use legitimate business interest as a get around for actually obtaining consent, and it is by far the easiest way for an awful lot of companies to process data.
A lot of companies forget that under GDPR, legitimate business interest, the next part of that sentence is that it has no direct impact on the rights of the individual.
Lots of companies forget that second element, which I think is why it has been omitted from the UAE law.
That is going to mean that a lot of companies are having to rely on consent significantly more than they have done in other jurisdictions.
If we look at Saudi Arabia, the single most worrying thing for a lot of companies is the data localization element.
We're still waiting on the executive regulations to come out of Saudi Arabia around the implementation regulations.
But the way the law is worded at the moment, and the way everyone understands it, is that data can't actually be transferred out of country without permission that has to be pre -applied for to do that.
Companies have very legitimate questions. Okay, how do I book a flight?
How do I transfer funds to Joe Bloggs in London? Without free flow of data, they're entirely right.
Those things can't happen. So there are still questions that need to be answered.
But both the Saudi and the UAE governments are pragmatic.
We will see changes in the executive regulations, which both are due to bring out in March, and hopefully we will get a better understanding of them then.
Until then, there are an awful lot of things that companies can be getting on with to get ready for when these laws are live.
Actually, the UAE law is already live from the 2nd of January.
Perfect. Well, thanks for that. And I was also just wondering, generally speaking, what the UAE law means for UAE companies that are based locally, but also international organizations.
Are there differences in terms of how companies should prepare or be prepared for the UAE law?
So companies that are based in DIFC and ADGM, they should already be very well prepared for this.
Because what is, I mean, DIFC and ADGM were part of the group that was drafting this new law, or at least got to review it before it went live.
So there isn't anything in there that should come as a shock to DIFC or ADGM entities.
Actually, DIFC and ADGM entities have a carve out in the law, but if they have onshore subsidiaries, they could be affected.
Where this is going to have a massive impact is for all those companies who are based either in UAE mainland and are transferring data overseas.
They are going to have to do a lot of data remediation.
There is a requirement in the new law to only keep data for as long as it is needed, useful and accurate.
Very similar to GDPR in that element. But again, a lot of companies don't necessarily know how long that they have stored data for.
I know of companies who have got 20, 25 years worth of data. And my first question to them is always, why?
How useful is 25 year old data to you? There are certain sectors where it is mandated by other laws here that you have to keep data.
The education sector, the health care sector, they mandate that you maintain data for a certain amount of time.
But in an awful lot of situations, companies need to just understand that you don't need to maintain all the data you have ever captured.
In fact, you have got a huge risk by doing that. Companies are getting that, but there needs to be a change in the culture of the organization as well.
And that's going to be the single biggest challenge for most companies, not changing the processes, not changing the procedures.
That's all hard fact stuff. The hardest thing to do is change people's mindsets.
And that can start with training.
That starts with softly, softly with a permanent message, but a message from the very top of the organization of look, privacy is important.
It is serious. It is part of our DNA as a company.
But it's also in order for us to continue to serve our clients, we need to be dealing with this, that data and identification that it isn't the company's data.
It's clients data. Yeah, no corporate culture is very important for that, especially around privacy as well.
Oh, I suppose just just touching on that.
I was wondering if you'd be able to sort of run us through maybe three like top tips in terms of what organizations should do to sort of sort of foster privacy, privacy embedded in the culture and sort of recommendations that you would make.
Number one recommendation, training. I mentioned it before. Have online training and awareness sessions for all your staff all the time.
Make it in people's faces, making it also that it is easily understandable that for every level of the organization and make everybody aware that privacy isn't just the responsibility of your data protection officer or your compliance officer or IT.
It is the responsibility of everybody in the organization.
Number one would be training.
Number two would be, I would and I tell every company I speak to about this, create a diversified privacy team across your company, create privacy champions, people who understand what it is and why it's important, but are also embedded within the business.
These are the people that are running your procurement process, they're your administrator in your HR department, they're a paralegal, they're your head of finance, all levels, all different types of roles.
But you need to have people across the board that buy into it and know what the what the challenges are and be involved in the groups.
I would also invest significantly in software and hardware to make this easier.
There are there are lots of different solutions out there, but if you don't invest in a privacy information management system of some variety, then it can become very overwhelming very quickly.
And actually, a privacy information management system is only one part of it.
You need your security systems, you need your access management systems to be up to date, you need your vendor analysis tools to be up to date.
And the number of companies that we still see that are doing their vendor due diligence by word of mouth, you don't know, hold on, we're in the 21st century, that there are better ways to do this.
But there are also more in depth ways of doing it.
So embed technology throughout the company. I think that's three. Thank you very much.
So we touched upon in earlier discussions, data localization sort of aspects, and I was wondering if you'd be able to touch upon the data localization aspects in the new UAE law, but also the proposed sort of new laws coming out in the region of the Middle East.
And what that means for organizations. So for, I'll talk about Saudi in a minute, but for the UAE, actually, the new law doesn't have any data localization requirement.
However, this new law isn't all encompassing and replacing all previous laws across all sectors.
This law is designed to work in conjunction with existing sectoral laws, which do have data localization elements on them.
The telecom sector, the finance sector, and the health sector all have different levels of obligations in terms of data that either can only remain in country, like the healthcare data, or data that can cross border, but you have to maintain a copy of it in this country.
Saudi Arabia, with their new law, again, it's not unusual in Saudi to have data localization.
They already have it as well for the financial services sector, the telecom sector, and the healthcare sector as well.
But the Saudi law is now all encompassing and covers all private data.
Again, the actually getting to the executive regulations is going to be key around this and what they say in Saudi, but for the UAE, it shouldn't be something that most companies are unaware of.
All of the big cloud service providers are present in the UAE, so you can go with a local instance if you are worried about going overseas.
Saudi Arabia, you don't have that same luxury.
All of the cloud service providers aren't based there, although I know that one company is basing a big data farm there.
It will get better. There will be more getting set up in the future.
Just for a little while, it's going to be painful.
Yeah, and I know as well, in the UAE, you have free zones, and I was just wondering if you'd be able to sort of talk through if there sort of are any differences with the free zones and kind of what that means for organizations that operate within these free zones.
Yes, so the Dubai International Finance Center or DIFC, probably the most well known of the free zone, and it's got a counterpart in Abu Dhabi, the Abu Dhabi Global Markets.
Both of these two have their own data privacy laws, and the new data privacy law doesn't apply in those.
However, at the moment, if you are transferring law to the mainland, where the new PDPL is in place, that is an international data transfer.
And at the moment, it is not counted as an adequate jurisdiction.
DIFC and ADGM recognize each other as adequate jurisdictions, and I'm sure in time will recognize mainland UAE as an adequate jurisdiction.
But as things stand at the moment, companies do need to make sure that you have the standard contractual clauses in place, that you are doing your risk assessments, you are doing your DPIAs, whenever you are transferring data from one of those two free zones to the mainland.
There's a third free zone that also has its own data privacy law, and that's Dubai Healthcare City.
That one is covered under this, the new personal data protection law.
However, their existing data privacy laws work in conjunction with the PDPL as well.
All the other free zones across the UAE, and I believe there are around 50 at the moment, are actually included under the scope of PDPL.
Okay, thank you for that. And then I think I've got a question in terms of, sort of looking into the future a little bit, but where do you see sort of data protection in the Middle East moving in the next sort of five to 10 years?
Okay, now I wish I had a crystal ball. No, not an easy question, I know.
So, this is very much a personal opinion, and please nobody hold me to it, because I can foresee the future no better than anybody else, unfortunately.
What do I see happening? I see increasing alignment between the free zones across the region.
You see at the moment Qatar Financial Center is updating their data privacy laws, and it's starting to look a lot more similar to those in AGM and DIFC, and I know that Saudi, with their King Abdullah Economic City, are also looking at their own privacy regulation.
So certainly within the financial services sector, I can see them clubbing together and having a mutual adequacy decision between them.
They do work very closely together anyway. For ADGM and DIFC, DIFC is already talking to the UK about getting adequacy decision there.
I can see ADGM following suit, and probably if the QFC, if my prediction about QFC is also correct, then I can see QFC also joining in that and going not just for UK adequacy decision, but also for the whole of the EU as well.
We're going to see increased interrelation, increased cooperation across borders.
We already have laws in Bahrain, Qatar, UAE, Saudi.
In terms of the GCC, that doesn't leave very many members left, so I can see a lot of the rest of the GCC following suit and see the likes of Oman, Kuwait and Jordan setting up their own privacy regimes soon enough.
And potentially in the future, I think we're talking probably 10 years or so from now, actually having some sort of GCC-wide privacy zone.
But the thing that we are definitely seeing more than anything across the board is changing cultural attitudes.
We're seeing changes in behaviour here already, and we're going to see them just get bedded in.
And it's going to become that they're following best practice, but it's going to become a competitive advantage for companies to have good privacy in place and actually advertise it and differentiate themselves.
A bit like Apple's doing now, saying no, and duck, duck, go, etc.
They're out there waving the privacy flag, and they are actually getting greater market value because of exactly that.
And that is going to become the norm here, that companies differentiate themselves by their privacy excellence.
Well, perfect. Thank you so much. And unfortunately, we are out of time.
But thank you so much for talking us through the changes in the Middle East regarding data protection law.
It was absolutely fascinating. And as always, Ben, it was lovely to speak to you.
And happy Privacy Day, everybody. Thank you very much, Philippe.
One that takes current traffic conditions into account and makes the highest performing, lowest latency routing decision at any given time.
Cloudflare Argo does just that.
I don't think many people understand what Argo is and how incredible the performance gains can be.
It's very easy to think that a request just gets routed a certain way on the Internet no matter what.
But that's not the case.
There's network congestion all over the place, which slows down requests as they traverse the world.
And Cloudflare's Argo is unique in that it is actually polling what is the fastest way to get all across the world.
So when a request comes into Zendesk now, it hits Cloudflare's POP, and then it knows the fastest way to get to our data centers.
There's a lot of advanced machine learning and feedback happening in the background to make sure it's always performing at its best.
But what that means for you, the user, is that enabling it and configuring it is as simple as clicking a button.
Zendesk is all about building the best customer experiences, and Cloudflare helps us do that.
Microsoft Mechanics www .microsoft.com www.microsoft.com