2024 Data Privacy imperatives for Middle East businesses

As 2024 dawns upon us, Middle East organisations look poised for a fresh phase of technology-driven transformation at various levels of operations and strategy. 2023 witnessed significant business resurgence from the effects of the Covid, as reported in PwC’s 2023 Middle East Working Capital Study and most economic sectors in the region maintain a strong positive outlook entering into the new year.

While this is good news, it is vital that organisations balance growth with appropriate due diligence, particularly in the area of data protection. Tech-driven innovations have led to organisations contending with larger volumes of data than ever before, a significant portion of which constitutes personal data, i.e. data pertaining to identified/identifiable natural living persons. In this article, we take a look at the key data privacy imperatives for Middle East businesses. 

1. Recognise the privacy expectations of consumers

A younger, more tech-empowered population implies that the Middle East consumers are increasingly cognizant of risks to their online privacy when they engage with digital platforms. As PwC’s Global Consumer Insights Survey 2023 reveals, 40% of Middle East consumers are wary of providing their personal data on social media and websites. Middle East businesses must recognise their customers’ privacy expectations, and address data protection as a business imperative.

2. Embrace emergent technologies with cautious optimism

Like any new technology, Artificial Intelligence (AI), the science of computers replicating human behaviour, holds the potential of both risks and rewards. Whilst the extent of AI’s implications are yet to be fully understood, the world is captivated by its game-changing potential. 

Governments in the Middle East have responded to the AI promise and taken steps to promote responsible innovation in the field. The Saudi Authority for Data and Artificial Intelligence (SDAIA), for instance, published an Artificial Intelligence Ethics Framework on 14 September 2023. The framework aims to promote AI innovation, whilst providing measures to address its potential risks.

Middle East businesses must recognise data’s role in fuelling the algorithmic engines of AI systems, and take a stance that is both pragmatic and proactive, with data protection being a core tenet of their design. Privacy enhancing technologies must be assessed and deployed as per specific needs. In our recent article ‘The imperative for responsible innovation’, we provide an actionable list of steps for Middle East organisations to address AI-related risks.

3. Fulfil regulatory obligations

2023 saw great strides in the regulatory landscape of the region. Oman’s Personal Data Protection Law came into effect on 13 February 2023, while the Kingdom of Saudi Arabia published an amended version of the Personal Data Protection Law (PDPL) on 7 April 2023. 

Regulatory enforcement of personal data protection laws is expected to further strengthen in 2024. Organisations must identify and act upon their data protection obligations, including tailoring to specific nuances that may vary depending on their place of business. Key focus areas include lawful bases for processing, updated privacy notices and a data privacy policy suite, cross-border data transfers, and the need to appoint a data protection officer.

We have produced a helpful suite of Data Privacy Handbooks to guide organisations on the specific nuances of data protection laws in various jurisdictions, such as the UAE, Saudi Arabia, Oman and Egypt.

4. Educate and empower workforce

Human relationships establish the social fabric of organisations, and tech-driven transformation notwithstanding, the workforce defines the core DNA of organisations. Employees must be educated on the organisation’s data privacy obligations and be empowered to take pro-privacy actions as part of their day-to-day business activities. The appointment of focus groups, such as a data privacy champions group or a data privacy steering committee will demonstrate organisational accountability, whilst establishing robust mechanisms for data privacy reporting and monitoring.

69% of Middle East organisations plan to upskill their workforce fast enough to keep up with organisational demands over the next 12 months, as revealed in the PwC Digital Trust Insights: Middle East report. Strengthening data privacy competency must remain a focal area of upskilling initiatives.