The Personal Data Protection Law of Bahrain (PDPL) was introduced by Law No. 30 of 2018 and came into effect on 1 August 2019, it marked a sea change in how personal data is regulated in the Kingdom and set out clear standards on how personal data could be collected, stored and processed.
The PDPL required businesses (Data Managers) to protect the personal data and privacy of individuals (Data Owners) based in Bahrain for transaction occurring within the Kingdom and introduced repercussions for non-compliance.
In May 2021 the Ministry of Justice and Islamic Affairs, acting in its capacity as Personal Data Protection Authority, (the Authority) published three executive decisions for consultation, which will complement the PDPL and cover the following :
- the rights of the Data Owner;
- the technical and organisation measures required from a Data Manager; and
- the rules in respect of Data Protection Controllers, which are approved third party experts, who can assist a Data Manager with their compliance.
The key components of these consultations are as follows:
- Register of Data Protection Controllers – the Authority will establish a register for Data Protection Controllers, from which Data Managers will be able to appoint a Data Protection Controller – if an individual or business is not registered and approved as a Data Protection Controller by the Authority, then it may not carry out such responsibilities
- Notice period for breach – there is a requirement that a Data Manager notify the Authority within 72 hours of any breach of personal date – this is line with current international standards relating to data protection, particularly the GDPR
- Data Protection Officer – a Data Manager may wish to appoint a specific employee who shall be responsible for queries from Data Subject, communicating with the Data Protection Controller (if required), maintaining the necessary records relating to personal data protection and monitoring compliance of service providers and processors with the PDPL
- Information Security Officer – a Data Manager may wish to appoint a specific employee who shall be responsible for developing information security procedures, risk-assessment programs, implementing the information security policies, dealing with and responding to security breaches
- Use of 'Privacy by Design' - a Data Manager must use application, services and products that have the highest level or privacy by default
- Minimum obligations regarding technical procedures and data security – a Data Manager must carry out a Data Protection Impact Assessment for any new process, product, service, program, technology or system – assessing the impact on personal data and the potential risk – as well as performing vulnerability assessment and penetration testing
- Conditions for valid consent from a Data Subject
- Withdrawal of consent by a Data Subject - the consultation sets out further detail as to how and when a Data Subject may revoke his / her consent
- Objection to processing that may cause damage – the PDPL sets out this ability for a Data Subject and further detail has now been provided by the consultation – such objection by a Data Subject will be upheld unless the Data Subject has already provided explicit consent to the processing or, by ceasing such processing, the Data Manager will suffer more damage that the Data Subject would in the event the processing were to take place
The consultation period for is due to expire at the end of June 2021.
The scope of Bahrain's data protection regime is ambitious and is on par with the protections laid out in Europe's GDPR. Whilst not all of the above proposals may make it into the final draft of the resolutions, they are a testament to Bahrain's commitment to be at the forefront of the technology sector in the MENA region and continue the Kingdom's tradition of innovation, but not at the expense of the consumer.