Submarine scope emerging from a pile of shredded paper.

The Evolution of Data Privacy and Cyber Security in The Middle East

By Noriswadi Ismail, Luke Tenery

January 13, 2020

Over the last few weeks, Ankura leaders Noris Ismail, Managing Director, Data Privacy and Luke Tenery, Senior Managing Director, Cyber Security, met businesses and other stakeholders in the Middle East region. Here they share their observations on the key challenges and opportunities facing companies and regulators.

To get the full picture on the rapidly developing data privacy and cyber security landscape, Noris and Luke also worked closely with leading MENA law firm, Al Tamimi & Company, whose Senior Counsel, TMT, Andrew Fawcett, provides his thoughts on the key trends to look out for below.

WHY NOW? HOW THE REGION’S FOCUS ON DATA PRIVACY AND CYBER SECURITY IS INTENSIFYING.

Before talking about the specifics of changing local regulations, it’s worth taking a step back and looking at the bigger picture. Here, one overarching driver is the General Data Protection Regulation (GDPR). That’s partly because its reach extends, of course, well beyond its European Union (EU) origins to impact any organisation handling EU subject data anywhere in the world. Yet the GDPR’s impact also extends beyond purely technical compliance issues as it has become a gold standard for regulators looking to update their rules, wherever they are in the world.

The UAE is no exception. The data protection reforms developed by the Dubai International Financial Centre (DIFC), which are expected to be issued later this year, strongly reflect many of the GDPR requirements.

There are also developments relating to a potential overarching data protection law covering the wider UAE landscape (outside of the DIFC). Regulatory change is on the agenda in the wider Gulf region and involving countries within the Gulf Cooperation Council (GCC). For example, in Bahrain, a new data protection law that broadly emulates the GDPR approach, came into force on 1 August 2019.

Evidently, businesses operating in the Middle East are alive to these upcoming changes and are therefore pushing data privacy and cyber security higher up the agenda.

Another reason for this is that many of the world’s largest sovereign debt funds are based in the region. These typically hold portfolios that contain many major international investments. By virtue of those global investments, they may be more aware than ever of regulatory and business critical risks around data transfer and cyber attack.

More broadly speaking, rising public awareness of cyber security breaches is putting pressure on governments, regulators and companies around the world to take action to protect personal data.

The above means that organisations operating in the Middle East region have multiple drivers to properly assess the current effectiveness, efficiency and reliability of their data privacy and cyber security framework and can reshape it for current and future regulatory and customer requirements.

WHAT WILL ENFORCEMENT LOOK LIKE?

The move towards GDPR-type regulatory reform is a positive one. If the already relatively well-established EU enforcement regime forms a basis for, and guides the approach to enforcement, in the Middle East region, it will offer continuity and certainty – particularly for organisations already operating under the GDPR. However, the reality is that, with different regulators across the region applying differing variations on the GDPR theme, it is unlikely to provide a single solid benchmark.

Instead, the best and most practical route may be for regulators at sector, national and, ideally, regional level, to agree an integrated framework. Within that framework, it would be valuable to have a clear and consistent enforcement approach so that businesses can link it with their governance and compliance programme to manage risks effectively. That may require cultural as well as legal change if the region is to move from a ‘case by case’ basis to a more universally integrated framework. With states such as the Emirate of Dubai strongly focused on creating a best-in-class international business environment, change is not likely to be far away.

WILL THE NEW RULES SUPPORT BUSINESS INVESTMENT? IS THERE A GROWTH STORY AROUND REFORMS TO DATA PRIVACY AND CYBER SECURITY REGULATION?

The answer is a slightly guarded ‘yes’. Setting a level playing field that is broadly aligned with international rules should be an attractive proposition for businesses and their investors.

While the DIFC’s reforms, and others in the region, are a positive indicator for growth, new laws alone are unlikely to be the trigger. Organisations will need to be proactive in working with the authorities to create a two-way relationship between regulator and market. Regulatory guidance through a clear code of practice and continuous engagement with business will help ease concerns and support change.

Talking of growth, it’s important to note the main sectors within the region and how they are regulated. The DIFC plays a key role in creating the right environment for the rise of financial services in the Emirates. Construction and Energy are also key sectors within the region and, as in most parts of the world, have their own rules and standard-setting bodies. The universal and all- pervasive nature of data, plus the trend towards sector convergence, drives the need for more ‘one size fits all’, cross sector regulation. New data privacy rules being developed and enforced across the region are positive in terms of addressing this potential barrier to growth.

Another angle to consider is that international businesses are increasingly sensitive to areas such as reputational risk, societal perception and the need to provide customers with reassurance in relation to handling their private data. Therefore, positive developments in the clarity and scope of the region’s data and cyber security framework will help multinational organisations meet their transparency and accountability objectives. This will support greater investment in the region, but concerns over consistency and enforcement will need to be overcome.

IS THE REGION AND ITS DATA LAWS READY TO ACCOMMODATE NEW AND EMERGING TECHNOLOGIES LIKE AI?

A key challenge within the data and cyber security world is the speed of technology change. Even the most advanced regulatory regimes are having to constantly keep up and interact with innovators to make sure their rules are both up to date and up to the task.

Fortunately, Middle East governments are not only conscious of the need to adapt regulation to meet the challenges of new technologies, but also to do so without stifling innovation. Awareness of this balance can be seen in the development of so-called regulatory sandboxes, which have been set up by the DIFC, Abu Dhabi Global Market (ADGM), Bahrain Central Bank, and the Saudi Arabian Monetary Authority (SAMA), allowing the use of innovative Fintech products and services, while helping regulators to develop appropriate rules in response.

Dubai, with its status as a global financial services hub and its focus on connectivity, arguably has the most to gain here. Its international nature means that as European, US and Asia standards change in response to the fourth industrial revolution, local regulators will need to consider alignment to ensure compliant cross-border exchange of data required by emerging technologies, such as Artificial Intelligence (AI).

As an aside, it would be a mistake to think that this issue only applies to tech and financial services. In construction, for example, blockchain technology is being deployed to better manage supplier contracts. It’s also worth pointing out the value of new technologies to our own profession: AI, machine learning, and analytics are reducing the time taken for due diligence and compliance processes.

Whatever the use case, the answer is likely to be healthy interaction and consultation between the regulators and the marketplace to optimise effective regulation and coordinated enforcement. At the same time, regulators will need to learn from other jurisdictions around the world that have already faced these challenges.

For the companies themselves, a risk-based and regularly updated approach will be essential if they are to fully embrace digital transformation while maintaining compliance.

WHAT DOES THE FUTURE HOLD? WHAT ARE YOUR TOP THREE TRENDS FOR THE NEXT THREE YEARS?

ANKURA:

The first is that, given the context described above, the market will respond by investing heavily in data privacy and cyber security compliance and implementation programmes.

Secondly, we will see more global coordination between data privacy regulators both across the UAE and the wider Gulf region. Once regulatory reforms have been approved and implemented, co-operation will increasingly be driven by the need to share intelligence and coordinate areas such as enforcement. A side effect may be a move away from the more siloed, sector-based approach to data and cyber security that has been a feature of the region.

Finally, we predict that that the region’s data privacy rules will begin to look more familiar to those from other continents. That is because it will increasingly align with key global regulation such as the GDPR and the California Consumer Protection Act (CCPA). The region’s distinctive cultural landscape and specific needs mean that this process will likely be both gradual and selective. Also, given the correlation between effective privacy compliance and strong cyber security, we expect the developments in data privacy described above to go hand-in-hand with greater cyber security maturity. Furthermore, since many organisations in the region have already adopted and implemented strong cyber controls, they will be in a powerful position to efficiently, rapidly and proactively advance their cyber security maturity.

AL TAMIMI & CO:

From the perspective of the largest law firm in the region, the top three developing trends are:

Wide-ranging ‘GDPR-style’ data protection legislation will be introduced by a number of Middle East countries to bring them more into line with international best practices (although there will variances, such as criminal sanctions).

There will be a rise in data localisation laws in the region that require businesses to store and process certain critical data primarily within the country where the businesses are located, rather than servers overseas. However, care will be needed to ensure that such data localisation does not cause the local markets to be left behind in the digital economy.

Governments will launch initiatives aiming to mobilise the cybersecurity environment within their countries. In June, the UAE’s telecommunication regulator announced a National Cyber Security Strategy, which aims to consolidate cybersecurity laws and regulations in the UAE.


If you would like to discuss any of the subjects covered in this article or find out more about how Ankura can help you manage data privacy and cyber security within your organisation, please contact Noris Ismail or Luke Tenery.