Data Privacy Egypt What You Need Know en
Data Privacy Egypt What You Need Know en
Data Privacy Egypt What You Need Know en
Handbook
A starter guide to data
privacy compliance
1
2
Contents
04 06 07
A quick introduction About this handbook Why is data privacy
to data privacy important?
08 09 10
Key concepts Key principles of What is personal
data privacy data?
11 12 14
What is sensitive Controllers vs. Individuals’ rights
personal data? processors
15 16
When can personal Ten steps to an
data be processed? effective data
privacy programme
3
A quick introduction
to data privacy
There are many definitions for ‘data marketing is now forbidden under data privacy
privacy’. The simplest way to think about laws but it does mean that organisations
it is that people (customers, employees, need to be transparent about what personal
anybody!) need to know what personal data data they are capturing and how it’s going to
organisations are collecting about them be used. Many organisations recognise the
and how they are using it. Of course, this a significant risks of cyber attacks and data
simplistic way to look at the topic but it is breaches but fail to understand what else is
useful to set the scene. required to safeguard what is referred to as
the “rights and freedoms of individuals”.
Data privacy is far more than just the security
and protection of personal data. It all boils
down to how organisations are using that
personal data. Organisations need to process
personal data in an ethical and legal manner.
That could mean not bombarding customers
with unwanted SMS marketing messages
but it could also mean simply not sharing
personal information with third parties without
the customer’s consent. It doesn’t mean that
4
In the past year there were a series of high- In the Middle East, some GCC States have
profile data breaches followed by mega-fines already adopted their own privacy laws
from regulators. This has increased awareness and other states have singalled their intent
about the importance of data privacy and to release similar legislation in the near
protection. The European Union (EU) also future. Many of the recent data privacy laws,
introduced the “General Data Protection including local Middle East data protection
Regulation” (GDPR), which set stricter laws, have striking similarities with the GDPR.
standards for data privacy and protection This is not surprising because the GDPR
and further increased awareness around the radically overhauled data privacy practices
importance of data protection compliance. and is now considered the gold standard in
data privacy, worldwide.
5
About this
handbook
The data privacy landscape is complex and This toolkit reflects best practices aligned to
it continues to evolve. It presents many the requirements of the GDPR, requirements
challenges to organisations by creating and practices specific to the Middle
uncertainty on many levels about whether, East region and PwC’s own proprietary
how, and when to process personal data. The frameworks. The toolkit is suitable for all
complex implementation of the GDPR and organisations processing personal data and
the continuing efforts worldwide to draft local looking for a practical approach to build their
data privacy regulations are having a serious data privacy programmes, be it to comply
impact on organisations’ abilities to update with privacy regulations or to gain competitive
and align their business practices to the ever- advantage.
changing regulatory requirements.
We’ve put together this Data Privacy
Handbook to try to simplify the requirements
and help you kick-start your data privacy
compliance journey. The toolkit contains
useful information and resources to help
you assess your current business processes
against data privacy best practices and take
the necessary steps to improve them.
6
Why is data privacy important?
Companies that fail to protect personal data and comply with data privacy regulations aren’t just
risking financial penalties. They also risk operational inefficiencies, intervention by regulators and
most importantly permanent loss of consumer trust.
Regulatory
Data protection regulators may enforce Reputational
mandatory audits, request access to Non-compliance with the the law
documentation and evidence or even could result in brand damage, loss
mandate that an organisation stops of consumer trust, loss of employee
processing personal data. trust and customer attrition.
8
Key principles of data privacy
Most data protection laws are built on a set of key principles, which establish the foundation for
everything related to data privacy and the protection of personal data.
There are seven key data privacy principles that form the fundamental conditions that
organisations must follow when processing personal data. Processing personal data in line with
these key principles is essential for good data protection.
Accountability
9
What is personal data?
Personal data is any information that can identify a living person. This could be as
simple as a name or account number or could be a digital identifier such as IP address,
username or location data such as GPS coordinates.
10
What is sensitive personal data?
Some personal data is considered sensitive, as it could cause harm to the individual if leaked or
misused. While each data privacy law may have its own nuances, personal data is classified as
‘sensitive’ if it relates to:
Voice recording
Political affiliations
Health records
Biometrics
It’s important to differentiate between personal data and sensitive personal data because the
processing of sensitive personal data usually requires additional safeguards to be in place.
11
Controllers vs. processors
Data privacy laws draw a clear distinction between data ‘controllers’ and data ‘processors’ to
recognise that not all organisations involved with the processing of personal data have the same
responsibilities.
A simple way to think about this is as follows. A retailer creates an e-commerce website and
decides what information they require from customers to create an account. The company
uses a cloud provider to host their website and database. In this case, the company is the data
controller and the cloud provider is the data processor.
Am I a controller or a processor?
It is important to note that an organisation is not by its nature either a controller or a processor.
It may be acting as a controller for some personal data and processing activities, and as a
processor for others.
12
What does it mean if I am a..
Data controller
You are ultimately accountable for your own
compliance and the compliance of your
processors. Your responsibilities include
compliance with data protection principles,
responding to individuals’ rights, enforcing
security measures, managing data breaches and
engaging only with processors providing sufficient
guarantees to protect the data.
Processor
You have less autonomy over the data you’re
processing, but you may still have direct legal
obligations. If you engage a sub-processor,
you may be liable to the controller for the sub-
processor’s compliance.
Your responsibilities include compliance with your
controllers’ instructions as set out in third party
contracts, enforcing security measures, notifying
controllers of personal data breaches and not
engaging any sub-processor before the approval
of the controllers.
Sub-processor
As a sub-processor, you may be liable for any
damage caused by your processing in case you
have not complied with your legal obligations and
if you failed to follow the controller’s instructions.
Your responsibilities towards the processor are
similar to the processor’s responsibilities towards
the controller.
13
Individuals’ rights
One of the aims of data privacy laws is to empower individuals and give them control over their
personal data. Therefore, most data privacy laws introduce what are usually referred to as ‘data
subject rights’ concerning the protection of individuals’ personal data. It’s important to note that
not all of these rights are ‘absolute’, meaning some only apply in specific circumstances:
Right to objection
Individuals can object
Right to correct personal to the processing of
data their personal data by
Individuals can have their an organisation.
personal data rectified if
inaccurate, or completed if
it is incomplete. Right to transfer personal data
Individuals have the ability to receive
data in an organised, commonly used
machine-readable form.
*Not all data subject rights are ‘absolute’. The ‘right to erasure’ is often misunderstood. The main
reason for this is because many assume that it is an ‘absolute right’ whereas in actual fact there
are only certain circumstances that people can request for their data to be deleted.
14
When can personal data
be processed?
The first principle of data privacy requires that all personal data be processed lawfully and fairly.
To do so, organisations must have at least one of the following valid lawful bases for processing:
As different types of data require different levels of protection, data privacy laws specify different
conditions for processing sensitive and criminal data:
• S
ensitive data can usually only be processed with the individual’s explicit consent, unless the
data is required for filing legal proceeding or claims, or if there is any legal, public interest or
regulatory requirement.
• P
ersonal data relating to convictions and criminal offences can usually only be processed
as long as it is carried out under the control of a certain government authority or in accordance
with local laws.
Top tips
• Y
ou must determine your lawful basis before you begin processing, and you should
document it.
• G
et it right the first time - you should not swap between bases at a later date.
• If your purposes change, you need to reassess the new purpose and determine a valid lawful
basis.
15
Ten steps to an effective data
privacy programme
1
Appoint a Data Protection Officer 18
2
Maintain a personal data register 19
3
Notify purpose and seek consent 20
4
Respond when individuals ask 21
about their personal data
5
Enforce security mechanisms 22
16
6
Embed data privacy into your systems, 24
processes and services
7
Notify data breaches 26
8
Manage third parties 27
9
Protect personal data when 28
transferring overseas
10
Communicate your data protection 30
policies, practices and processes
17
17
1 Appoint a Data
Protection Officer
Many data privacy laws introduce the concept of a ‘Data Protection Officer’ (DPO), a new
leadership role for overseeing the organisation’s data protection programme and ensuring
compliance with the applicable laws.
18
2 Maintain a personal
data register
In order to protect personal data you need to know what data you collect, how you use it and
where you store it. The first step in achieving this is identifying all processing activities in your
organisation involving personal data, and documenting how and why the data is used in what is
called a ‘personal data register’.
19
3 Notify purpose and
seek consent
Transparency is a central principle in data privacy laws. When collecting individuals’ personal
data you must provide them with clear information explaining why, what and how you’re
intending to process it.
What is consent?
Consent is a freely given, specific, informed and unambiguous agreement, provided by
individuals through a statement or a clear affirmative action, to the processing of their personal
data.
Consent means giving people control and choice over how their personal data is processed. It
constitutes one of the legal grounds for lawfully processing personal data, however, there are
conditions that need to be met to ensure it’s valid.
20
4 Respond when individuals
ask about their personal data
What are data subject requests?
Data privacy laws introduce new rights for
individuals that are designed to give them
more control over how their data is used.
Individuals are entitled to raise requests
to exercise their data subject rights and
organisations must respond within a specified
period, as per the data privacy laws you are
subject to.
21
5 Enforce security
mechanisms
Most data protection laws require organisations to ensure that ‘organisational and technical
measures’ are in place to protect personal data. This usually means that organisations needs to
take reasonable steps to protect personal data. What is ‘reasonable’ will usually come down to a
business decision with the support of legal counsel, and will be based on the organisation’s size
and the amount and type of personal data being processed.
Generally speaking, organisational and technical measures are the functions, processes, controls,
systems, procedures and measures taken to protect and secure the personal information that
you process.
Business continuity
Risk assessments
and audits
• S
ystem and physical security
• E
ncryption or de-identification of
personal data
• R
obust data disposal measures
• P
asswords and two-factor authentication
• B
ring your own device (BYOD) and
remote access
22
Which security measures should I implement?
Depending on the size of your organisation and the processing activities undertaken, there are
a broad range of technical and organisational measures that can aid in securing and protecting
personal data. We also suggest utilising established frameworks such as ISO27001 to assess
and develop adequate measures.
As there is no ‘one size fits all’ solution when it comes to information security, we recommend
you follow the steps below to determine which measures you should implement:
Step 1
Step 2
Step 3
Step 4
23
23
6 Embed data privacy into your
systems, processes and services
Recent data privacy laws have introduced detailed requirements on privacy by design and
default. A first step to translate these broad concepts into functional requirements is to define
their key principles as follows:
While these principles help to inform the organisation’s overall approach, successful privacy
by design and default is facilitated by governance and oversight, implemented by a supportive
workforce, and informed by risk and compliance.
24
What is ‘data privacy by design’?
Organisations committed to providing an environment that safeguards personal data must
embed data privacy into the design and overall lifecycle of any technology, business process,
product, or service, such as:
• U
sing a new way for storing data (i.e. cloud)
• E
ngaging a third party to manage and maintain an IT system
• T
ransferring data to a new third party
• N
ew or changing business process
• N
ew product offering
• N
ew use of existing data to improve
a product or service
25
25
7 Notify data breaches
Data breaches can happen for various reasons, despite all the precautions that you may take. As
data privacy regulations introduce strict reporting timelines, it is crucial for every organisation to
be well prepared in the event of a data breach.
• N
ature of breach:
• Who accessed what and when?
• What caused the breach?
• How was the data used?
• Who are the affected individuals?
• D
escription of the estimated impact and
possible effects.
• C
ontact details of your data protection
supervisor.
• P
rocedures taken by your organisation to
investigate and remediate the incident.
27
27
9 Protect personal data when
transferring overseas
With a significant number of organisations’ operations spanning several countries and territories,
data transfers are an integral part of today’s global economy. Many data privacy laws contain a
‘whitelist’ of countries to whom personal data may freely be transferred because they provide
adequate levels of personal data protection. For non-whitelisted countries or ‘third countries’
as they are also known, data privacy laws require safeguards to be in place whenever data is
transferred to such places. Often this means using a recognised data transfer mechanism.
28
Which safeguards are considered appropriate for personal data transfers?
There are a number of mechanisms your organisation could adopt to protect personal data when
transferring to third countries. Some safeguards recognised by the GDPR are:
29
10 Communicate your data
protection policies, practices
and processes
Complying with data privacy laws is not something that can be left to the legal and compliance
departments alone. Compliance with data privacy laws requires that everybody in the
organisation understands their responsibilities to protect personal data. It is very important to
communicate your data privacy policies and practices to your customers and employees to
ensure they are familiar with how you process and protect personal data.
Customers Employees
• M
ake the business contact information of • C
ommunicate your data protection policies
your DPO easily accessible so that your and practices to your employees to make
customers know who to contact for inquiries sure they are familiar with their roles and
or complaints. responsibilities in processing personal data.
• R
eadily provide information about your • D
evelop a culture of privacy awareness
data protection policies, practices and within your organisation by aligning the
complaints process upon request. importance of data privacy to your values
and implementing practical approaches to
• U
pdate your privacy notice to make sure
convert it to repeated practices.
your customers understand what personal
data you process, and how you do it, to • U
se posters, email and other
enable them to make informed decisions communication tools to raise awareness of
about it. The privacy notice should be: the importance of personal data protection
among your staff.
• Concise and transparent
• Written in clear and plain language • S
end key employees who handle personal
data to attend regular data privacy training
• Delivered in a timely manner
to ensure they are kept up to date on your
• Made publicly available and easy to access internal processes and latest developments
in the privacy space.
30
How PwC can help
As experts in data privacy, we are well positioned to support you with your organisation’s journey
to data privacy compliance. We have developed a five step approach to transforming privacy
programmes, with tools and accelerators to assist the process.
data discovery
• Stakeholder engagement and communications plan
capabilities
31
Get in touch
To discuss how PwC can support you with implementing your data privacy programme, please
get in touch.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 158
countries with over 250,000 people who are committed to delivering quality in assurance, advisory and tax
services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
Established in the Middle East for 40 years, PwC has 22 offices across 12 countries in the region with around
5,200 people. (www.pwc.com/me).
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal
entity. Please see www.pwc.com/structure for further details.