Both the DIFC and the Kingdom of Bahrain now have Data Protection Laws in place, which essentially mirror the General Data Protection Regulations (GDPR), implemented in the European Union. Though it is still early days for the implementation of these laws, and their enforcement, companies and individuals should take care to ensure they are in the clear, to prevent heavy liabilities at a later date. Companies face threats from even their employees, if employees feel dissatisfied with how their information is handled, or are aware of non-compliant practices, which are then reported to the authorities.

Do you collect your customers contact information, identifying information and other personal information for the sale of your products and services? Do you check the buyers personal details and request the same from them if you are providing products or services? Do you collect personal information from your employees? If the answers to questions like this are “yes,” then the law is theoretically broad enough to apply to you.

Therefore, we have developed a brief “primer” on the basic ingredients of a Data Protection Compliance Program. This is by no means, a replacement for a professionally developed and administered compliance program, or professional advice (get in touch with us at info@borderlesscounsel.com to arrange a consultation). However, it may help you to start thinking of how you could effectively comply with Data Protection Regulations in effect in your jurisdiction.

Key Requirements: Personal Data, Sensitive Data, and Transfers

The law requires all individuals who process personal data (being any information owned by or related to the identity of an individual), to do so with the knowledge and consent of the data owners. Such data processing (use of data) must also be done in a secure manner, and the data belonging to the data owners must be adequately protected. There are certain exceptions, for example, for those who process data for the purposes of fulfilling a contractual obligation with the data owner.

When it comes to “sensitive personal data,” being data related to the religion, ethnic origin, gender, age, political views, criminal history or union membership of an individual, there are more stringent requirements for the processing of such data (fewer exceptions), and specific penalties for failing to follow the requirements of the law. For one, automated processing of such data is prohibited, unless consent is obtained, and permission is received from the Data Protection Authority.

Finally, transferring data outside the jurisdiction without the consent and awareness of a data owner, is prohibited unless the transfer is made to a country which is published on a list maintained by the data protection authority (authorized countries’ list).

Compliance Requirements

Step 1: Diagnoses

It is important for organizations to clearly diagnose where they may have data protection deficiencies and identify clear steps and processes which need to be put in place to effectively comply with the new law.

Step 2: Documentation and Disclaimers

The “stop-gap” solution for organizations is the creation of effective disclaimers, contracts and further documentation, needed to obtain consent from data subjects (i.e. clients, customers, employees, and business partners providing personal information). Designing effective disclaimers and contractual language can be sufficient for some organizations, until further provisions of the law are implemented. This is because means and methods for enforcing the law through the data protection authority, and registering the data processor and data manager (the employees/individuals managing compliance) at the organization with the authority, are yet to be implemented.

Step 3: Policy Design and Implementation

If this is a requirement, identified after the diagnoses in Step 1, then your organization will need to create a full-fledged data processing policy. This will specifically identify those responsible for processing data in your organization, and the controls in place to secure data. This will anticipate the soon to be formed “Data Protection Authority” and its enforcement mechanisms, to ensure that your organization is fully compliant in advance.

Additional Steps:

Support from the IT team will be needed to study how the IT system will need to be improved to ensure that the data protection controls and data security measures established on your computer network, are sufficient to secure data processed at your organization. Where there are provisions and procedures for this in local law or regulations, the policy and data protection programs at your organization will need to be properly registered and approved with the data protection authority as well.

Also, the Borderless Counsel team is well equipped to assist you in managing your Data Protection Compliance. We have experience in managing compliance with the GDPR and are well versed in the requirements of a strong compliance program. If you need any assistance, get in touch today by sending us a message at info@borderlesscounsel.com. We can also be reached at +97338247303.

Data Protection Compliance Guide for Bahrain and the Dubai International Financial Center