Businesses run the risk of stiff penalties up to BD20,000 for non-compliance with the new Bahrain Personal Data Protection Law, a leading expert has warned.
Navneet Sharma, director for IT at the audit and advisory firm Grant Thornton Bahrain, said as per the law which went into force in August, a Personal Data Protection Authority will be established to monitor and enforce compliance.
On September 30, the duties have been assigned to the Justice, Islamic Affairs and Endowments Ministry until the establishment of the authority.
According to Mr. Sharma, questions regarding the communication and reporting lines to the authority still remain.
Organisations are wondering how fast the regulators will enforce the compliance, how they can ensure compliance with the law and avoid any violation.
“Taking into account that sharing personal data is prohibited under the law, organisations need to take an explicit consent from the data owner or have a legal basis such as legal obligation, contractual obligation, public interest or vital interest prior to sharing this personal data,” he added.
Additionally, prior to sending direct marketing emails or SMSes, organisations need to ensure that the data owner is aware and opted-in to the service before receiving such emails or SMSes.
He said the law is not only about getting the explicit consent of the data owner, but also ensuring that the processing of personal data is carried out under a lawful basis.
Demonstrating that the bulk of processing activities conducted by different business units within the organisation have a legal base can represent a challenge, added Mr. Sharma.
A clear assessment needs to be made by organisations to understand implications of the law on business processes, the flow of data and locations where the date is stored.
In addition, the retention period, disposal methods and the underlying technologies being used and their impact on the data protection and privacy should be clearly assessed.
“Sufficient security controls should be implemented and documented to reflect compliance with the law,” said the official.
When it comes to services provided by third party service providers, organisations need to take additional steps to ensure that protection of personal data confidentiality is maintained.
Further, employees need to be trained and aware about their roles and responsibilities towards the protection of personal data.
According to Grant Thornton Bahrain managing partner, Jassim Abdulaal, regulators have to give priority to data privacy and security regulations to catch up with technology disruption.
“Bahrain’s PDPL has become a reality from August 1 turning data privacy into a fundamental right. The move is also in keeping with principles of fairness and protection of consumers. Our technology advisory team brings a global approach to solutions for PDPL implementation locally,” he added.
Jatin Karia, senior partner at Grant Thornton Bahrain, feels businesses like banks, insurance firms and healthcare providers must now take dare privacy and security laws more seriously than ever.
“In addition to focusing on product and service delivery as business and commercial objectives, they need to give equal priority to date protection as a business necessity for the interest of consumers, employees and others.