White Paper

Organizations active in GCC countries

need to get to work on data protection

Authors
Felix Hildebrand, Elisabeth Benazir Lippert, Aytech Pseunokov, Dr. Bernhard Gehra,
Shoaib Yousuf, Sean Mitchell, Tom Bicknell, Martin Hayward

March 2023
Introduction
Data protection and data privacy The issue of data protection has laws and place specific obligations on In recent years, leading economies right to access their data or the right minimization, accuracy, storage limi-
are hot topics throughout the world. become particularly relevant in a digiti- companies in these industry sectors around the world have made headlines for it to be deleted. If organizations tation, integrity, confidentiality and
The Gulf Cooperation Council (GCC) zed world, where employers, suppliers, or companies engaging with public with new data protection and privacy do not introduce an efficient system accountability.
region is no exception, and new regu- service providers and governments sector entities. Organizations need regulation: the European General Data to handle them, such requests can
lations are also emerging there. As have more access to people’s informa- both to establish a clear mandate Protection Regulation (GDPR) (effec- generate a considerable operational The regulations usually have an extra-
these local and global regulations tion than ever before. A huge amount for data protection, and also allocate tive from May 25, 2018); the California burden. territorial scope, and this works in
have significant implications, often of online data can be lost, stolen or internal responsibility for this Consumer Privacy Act (CCPA) (effec- various ways. For example, the GDPR
with an extra-territorial scope, orga- targeted for ransom purposes through mandate in a transparent way. Both tive from January 1, 2020); the Chinese At their core, these laws seek to ensure seeks to protect data belonging to
nizations in both private and public spying, intellectual property theft, or these actions are critical for a range Personal Information Protection Law that personal data is used and proces- European Union (EU) citizens and
sectors need to pay close attention to by hacking into personal accounts. of reasons, not least because several (PIPL) (effective from November 1, sed in an ethical and legal manner. residents. The law therefore applies
them. Laws are currently coming into As well as the potential severity of internal functions are affected by data 2021); and the Data Security Law The laws span data processing, data to entities and organizations that
force throughout the region and are any data breaches, companies also protection regulation. Organizations (DSL) (effective from September 1, protection and the data subject – handle such data whether or not
expected to be starting to be enfor- have to contend with their increasing must take a collaborative and cross- 2021). The advent of GDPR, in particu- that is, where and how the data is they are EU-based organizations.
ced in the upcoming months. Many of frequency. functional approach to the issue, and lar, radically overhauled data privacy processed, where it is stored, how it is Consequently, each data protection
these laws have similarities with the allocate responsibilities according to practices. It is now considered the gold protected, and the rights that individu- regulatory regime will have signifi-
European General Data Protection In response, legislation is emerging their own needs and circumstances. standard in data privacy worldwide, als have with regard to their own data. cant implications for companies or
Regulation (GDPR). However these to force companies to take action Investment in data protection capa- and acts as the principal reference Many of these regulatory regimes also public-sector entities which have any
are not regional but national, hence to shore up their defenses and curb bilities is essential for three main point for comparison with many emer- differentiate between personal data connection with the country from
additional challenges in terms of regi- unauthorized access to personal infor- reasons: to meet regulatory require- ging privacy regulations. and sensitive personal data. All regu- which the law originates. Given the
onal data flows and how the laws will mation. By now there are free zone ments, preserve reputation and avert lation demands clear processes for accelerating pace of new data privacy
be enforced on a country-by-country and industry specific laws, which cover considerable potential commercial By 2023, according to Gartner, modern the collection, storage, correction, laws, with their harsh penalties and
basis have to be considered. industries such as healthcare, finan- losses. privacy regulations will be protec- completion and destruction of perso- their conflicts with other internatio-
cial services as well government data ting the personal data of 65% of the nal data. The main objectives guiding nal data privacy laws, companies are
world‘s population. Most6 of these the actions of legislators in this sphere rethinking where, how, and with whom
data privacy laws award people more are lawfulness, fairness and trans- to do business.

Global background
rights over their data, such as the parency, purpose limitation, data

Data protection regulation is rapidly evolving

The escalation in breaches and loss of entrusted data has been observed in a number
of industries. Some high-profile examples are detailed below. Recent examples of GDPR fines1

Amazon was fined €746 Vodafone was fined in Spain2, Free, a French telecommu-
million in Luxembourg for Italy3, Romania4 and Ireland5. nications company and a
non-compliance with general The combined fines added up subsidiary of Iliad, which
data processing principles. to a total of approximately provides voice, video, data,
€30 million. The reasons for and Internet telecommunica-
Meta was fined €265 million the fines were an insufficient tions to consumers, received a
in Ireland for inadequate legal basis for data processing, penalty of €300,000 for insuf-
technical and organizational non-compliance with general ficient fulfillment of data
measures for ensuring infor- data processing principles, subject rights.
mation security. insufficient fulfillment of data
subject rights, unsatisfactory Finnish shipping company 1. GDPR Enforcement Tracker (https://www.enforcementtracker.com/); 2. OneTrust DataGuidance, February 3 2022, “Spain: AEPD fines Vodafone €3.94M for accounta-
technical and organizational Viking Line Abp was fined bility and security failings” (https://www.dataguidance.com/news/spain-aepd-fines-vodafone-394m-accountability-and); European Data Protection Board, March 31 2021,
“Spanish DPA Fines Vodafone Spain more than 8 Million Euros” (https://edpb.europa.eu/news/national-news/2021/spanish-dpa-fines-vodafone-spain-more-8-million-euros_
measures for safeguarding €230,000 for non-compliance en); 3. OneTrust DataGuidance, November 29 2022, “Italy: Garante fines Vodafone €500,000 for unlawful use of personal data in promotional campaigns” (https://www.
information security, and not with general data processing dataguidance.com/news/italy-garante-fines-vodafone-500000-unlawful-use); European Data Protection Board, November 19 2020, “Aggressive telemarketing practices:
Vodafone fined over 12 million Euro by Italian DPA”, (https://edpb.europa.eu/news/national-news/2020/aggressive-telemarketing-practices-vodafone-fined-over-12-million-
enough cooperation with the principles. euro_en); 4. OneTrust DataGuidance, November 12 2021, “Romania: ANSPDCP fines Vodafone Romania €2,900 for security violations” (https://www.dataguidance.com/
supervisory authorities. news/romania-anspdcp-fines-vodafone-romania-2900-security); 5. Data Protection Commission, September 7 2021, “Data Protection Commission welcomes outcome of
prosecution proceedings taken against Three Ireland Limited and Vodafone Ireland Limited” (https://www.dataprotection.ie/en/news-media/data-protection-commission-
welcomes-outcome-prosecution-proceedings-taken-against-three-ireland#:~:text=The%20Court%20convicted%20Vodafone%20Ireland,imposed%20fines%20totalling%20
%E2%82%AC1%2C400.); 6. Gartner, September 14 2020, “Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy
Regulations” (https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w)

2 The Boston Consulting Group 3

GCC data protection EXHIBIT 1 Target Operating Model

frameworks keep pace with global trend

Relevant developments in the GCC The GCC data protection regulatory 2023 is expected to be a particularly
1. STRATEGY & MANDATE
region are in keeping with this landscape is becoming increasingly pivotal year for GCC privacy regulations
global trend. Indeed, local GCC complicated. Along with national with companies managing the 1.1 P&DP Mandate 1.2 Risk Scope 1.3 Risk Appetite 1.4 P&DP Program & Strategic Plan
data protection laws bear striking data protection laws and regulations, compliance requirements of the UAE
similarities with the GDPR. These there are separate data protection federal data protection law following
developments mark a watershed in regulations covering the financial the issuance, expected in the first half
the evolution of the region’s regulatory free zones in the UAE and Qatar. In of 2023, of the executive regulations 2. DELIVERY MODEL
framework, and lay the foundation for addition, there are separate industry underpinning the UAE federal data
the modernization of the economy and specific data protection regulations to protection law and with the Oman and
the digitization of the region’s growth navigate covering such industries as Saudi Arabia personal data protection 2.1 LoD roles 2.2 Org set-up 2.3 Branch Mgmt. 2.4 Policy Library 2.5 Authority & Committees
sectors. Organizations operating in healthcare, telecommunications and laws coming into force.
the Middle East would be well advised financial services along with specific
to pay close attention and review their laws covering government data.
readiness to comply. 3. GOVERNANCE & COMPLIANCE RISK MANAGEMENT

How companies and public-sector

3.1 Risk Analysis 3.2 Regulatory 3.4 Quality 3.6 Invest. &
3.3 Controls 3.5 Advisory 3.7 Reporting
& Assessment Screening Assurance Root Cause anal.

entities operating in the region should prepare

Given this regulatory focus, and the results from non-compliance. Indeed, level of tolerance, assess potential 4. IT ARCHITECTURE
various risks emanating from any data protection regulators have the information security and privacy risk,
vulnerabilities in this area, data power to enforce mandatory audits, and put mitigating measures in place.
4.1 Data standards 4.2 Data handling 4.3 Processes 4.4 Data Gov. 4.5 Digital &
protection and privacy have moved to request access to documentation The crucial initial phase of the process & reg. requirements & storage & Tools Data Analytics
the top of the C-suite agenda across and evidence, or even demand that is a basic assessment of each type of
all industries in the region. Senior an organization stops processing personal data that an organization
leaders have recognized that robust personal data. possesses - how each is stored,
data security and data privacy are processed, and used. Particular 5. AWARENESS & CULTURE
vital if their future ambitions are to Second, investment is crucial because attention should be paid to sensitive
be achieved. However, it is one thing data protection helps to preserve personal data.
to recognize the challenge, and quite reputation. Companies can lose the 5.1 Culture & tone from the top 5.2 Training & enablement
another to adopt the right strategic trust of regulators, investors and If they have not already done so, all
response. Organizations need to clients in the event of a data breach, companies based or operating in
scrutinize their operating model, and this will inevitably have a negative the GCC countries need to classify
ensure adequate resources in the right impact on the organization’s ability to risks, deriving from data protection
areas, update the written framework meet its objectives. laws relevant to the company, Setting out a data protection
to include data sharing policies, into various categories. The laws framework involves:
incident reporting and escalation Third, data protection serves to avert could be pertinent to their area of
mechanisms, and refine training and considerable potential commercial business, clients or global footprint. Establishing the data protection Ensuring customer consent Spelling out data subject rights
awareness programs. losses, too. For example, the stock The identified risks then need to be and privacy function for collecting data
price could fall and sales decline prioritized according to their level Preparing a technical document
Investment in data protection is after a data breach, while ransomware of seriousness and urgency. At that Defining the organizational Devising consent management for the necessary IT changes,
crucial for 3 main reasons. First, robust can result in disrupted or completely stage, organizations can design a structure of the data protection and privacy controls for customers and overseeing its implementation
data protection is necessary in order halted business operations. In order clear roadmap for actions that need and privacy department
to meet regulatory requirements. As to protect both their own sensitive to be carried out, and develop a data Identifying all touchpoints at Registering any process
a result, it can prevent the substantial data as well as data that consumers protection framework. Conducting interviews which customer data can be developments
fines imposed in the event of have entrusted to them, and also for new specialist hires collected
non-compliance, such as the GDPR meet all the regulatory requirements, The various facets of the data Developing a register document
fines issued against Amazon and Meta, companies and public sector entities protection framework should all Boosting awareness and Strengthening relationships with to track process developments,
which both reached into the hundreds need to build a robust privacy and be embedded within a clear Target refining training programs third-party vendors which process, and devising the process for
of millions of dollars. Data protection personal data protection framework Operating Model. (See Exhibit 1) store or have access to personal keeping it updated and stored
also wards off the heightened and target operating model. As Preparing materials in relation data of employees or customers
regulatory scrutiny that inevitably with all risks, it is essential to set a to data privacy and protection Identifying critical data
elements and reports
4 The Boston Consulting Group 5
 A clear delineation of roles within Aside from the Data Protection Officer Sometimes, regulation specifies When designing the mandate for the
this data protection framework is and a data protection and privacy where roles are positioned within Data Protection Officer and a Data
vital, setting out which function has committee, there are other roles and the organization. For example, GDPR Protection Office, and determining
overall ownership of a particular area responsibilities to be allocated. For Article 38 (3) states that “the data where to position them within the
and which is responsible for each part example, data protection owners and protection officer shall directly report organization, it is first important to
of the process. Functions must then application owners also need to be to the highest management level of consider what their primary function
collaborate with each other for the clear about what they have to do. the controller or the processor.” The is – mainly if it is drafting measures,
Integrated with the IT function:
benefit of the organization as a whole. specific details of planned processes, executing controls or acting as an
This option tends to be favored
such as the relevant reporting to advisor to the organization.
by organizations with strong IT
Depending on the extend and ensure management oversight, also
leadership, where the focus is
complexity of the challenge as well need to be worked through.
on fixing issues that arise and
as local regulatory requirements,
on avoiding potential challenges
companies can also opt to establish a
Data Protection Office and appoint a
Data Protection Officer. Organizations
Directly reporting to the CEO:
should nevertheless be aware that the
This option is often preferred by
breadth and scope of activities to be
data-driven organizations which
undertaken by the privacy function
have an emphasis on business
continues to expand far beyond
innovation and enablement
the typical activities of such a data
protection officer. More than 30% of
organizations are now devoting much of
Reporting to the compliance
their attention to setting international
function: This option is likely
transfer rules and formulating
to be suitable for organizations
privacy impact assessments. These
with a power imbalance - between
burgeoning responsibilities are
IT and the business - that needs
creating headaches for companies
to be resolved
trying to prioritize management time
in the most efficient way possible.

The role of the Data Protection Officer

should always be independent, but we
have observed three ways in which
they have been positioned within an
organization.

Decentralized system: Business units Tasks of the Data Protection Officer

define data protection themselves;
One cross-industry survey examined
absence of an overarching data
the reporting mechanism for data
protection strategy, and very limited
protection officers. It found that they Reviewing current policies regarding Identifying critical data elements
coordination
reported most commonly to the legal, data subject rights, and evaluating
compliance and information security processes concerning new regulations Classifying critical data elements
Data Protection Office as doer:
functions.7 into one of four categories based on
A core team responsible at top
level for privacy and data protection Closing any gaps and resolve potential a respective impact assessment of
In terms of the Data Protection issues in order to ensure all data any potential unauthorized disclosure
Office, sometimes called the Privacy subject rights are guaranteed
Data Protection Office as facilitator:
and Data Protection Office, four Defining data quality rules, as well
A lean unit facilitating and coordinating
organizational arrangements have Closely monitoring the implementation as corresponding rules for metadata
been most typically observed. of revised policies and processes to and data lineage
Centralized system: Data Protection
Office as authorized owner of all data avoid future breaches

7. IAPP-EY Annual Privacy Governance Report: https://iapp.org/media/pdf/resource_center/IAPP_EY_Annual_Privacy_Governance_Report_2022.pdf

6 The Boston Consulting Group 7

Conclusion: Moving forward
In such a dynamic regulatory environ- a transparent review of the organiza- In what is a fluid regulatory environ-
ment, with emerging new challenges tion’s existing data protection and ment for data protection and privacy,
and the uncertainties of upcoming privacy program. This framework there are several regulations currently
enforcement actions, companies includes organizational initiatives in draft format. India recently put their
should seek to maintain a constant (such as policies and procedures) and data protection bill on hold. However,
line of communication with peers and technical measures (such as encryp- with the large number of Indian citi-
regulators. tion and password protection), which zens living and working in the region,
both facilitate the privacy and protec- GCC states would be well advised to
Best practices from companies prepa- tion of personal information. We are keep a close eye on how this law plays
ring for GDPR compliance can be yet to see how two conflicting forces out. Further developments are expec-
learned from, potentially serving as will be aligned and reconciled with ted in early 2023.
a starting point for the design of a each other − on the one hand, the
robust operating model and strategy. push for more data protection; and, Companies in all sectors, private
Law firms and other stakeholders on the other hand, the need for increa- as well as public, must continue to
offer research and industry insights, sed transparency of information and pay close attention to local GCC and
enabling companies to derive more data sharing designed to tackle vari- global regulations on data protection.
lessons from peers. ous forms of financial crime. The rapid For an organization to meet the requi-
rise of generative AI chatbots also rements of data protection, it needs to
As authorities increase their focus on carries implications for information define a mandate clearly, and then set
data privacy, every company active and privacy risks – and data privacy out in a transparent way who precisely
in the GCC region should plan a officers need to provide guardrails is responsible for executing it. With
framework tailored to its individual for how employees use them as we the right structure in place, exten-
organization and in line with what it learn more about how privacy regula- sive measures can be adopted, and
must do to fulfill all its requirements. tors view these tools. extensive measures can be adopted
Such an enterprise-wide data protec- to adapt to new privacy and regula-
tion framework can be developed after tory compliance demands and risks.

Dr. Bernhard Gehra Felix Hildebrand About Pinsent Masons About BCG
Managing Director & Senior Partner Managing Director & Partner
Pinsent Masons has over 35 years of experience in the Boston Consulting Group partners with leaders in
BCG Munich BCG Munich Middle East and has been permanently established in business and society to tackle their most important
gehra.bernhard@bcg.com hildebrand.felix@bcg.com the region since 2008. Today, the firm has more than challenges and capture their greatest opportunities.
100 people based in their offices in Doha, Dubai and BCG was the pioneer in business strategy when it
Shoaib Yousuf Aytech Pseunokov Riyadh offering a full range of legal services including: was founded in 1963. Today, we help clients with total
transformation—inspiring complex change, enabling
Managing Director & Partner Project Leader Projects, Construction & Infrastructure organizations to grow, building competitive advantage,
BCG Dubai BCG Dubai Corporate & Commercial Real Estate and driving bottom-line impact.
yousuf.shoaib@bcg.com pseunokov.aytech@bcg.com Dispute Resolution and Compliance
Banking & Finance To succeed, organizations must blend digital and
Employment human capabilities. Our diverse, global teams bring
Elisabeth Benazir Lippert Sean Mitchell deep industry and functional expertise and a range
Senior Knowledge Analyst Senior Knowledge Analyst Combining this legal expertise with the global of perspectives to spark change. BCG is collaborating
sector expertise in Infrastructure, Energy & Natural with OpenAI to help our clients realize the power of
BCG Frankfurt BCG Boston
Resources, Financial Services, Technology, Industry OpenAI technologies and solve the most complex chal-
lippert.elisabeth@bcg.com mitchell.sean@bcg.com and Science, and Real Estate the legal services are lenges using generative AI − responsibly. BCG delivers
delivered in a way that produces first rate commer- solutions through leading-edge management consul-
Tom Bicknell Martin Hayward cial advice in the context of the Middle East region. ting along with technology and design, corporate and
digital ventures − and business purpose. We work in
Partner Partner
PinsentMasons offers legal, business and cultural a uniquely collaborative model across the firm and
Pinsent Masons Dubai Pinsent Masons Dubai fluency in both English and Arabic and has experts throughout all levels of the client organization, gene-
tom.bicknell@pinsentmasons.com martin.hayward@pinsentmasons.com in local and foreign (such as English) laws and rating results that allow our clients to thrive.
regulations.

8 The Boston Consulting Group 9