Companies remain unprepared as Bahrain data law comes into effect

13 August 2019 6 min. read

Bahrain’s new personal data protection laws have now come into effect – with the business community yet to take appropriate action according to the local branch of KPMG.

Barely a year on from the massive regulatory upheaval that was the implementation of Europe’s General Data Protection Regulation (GDPR) – with a recent study by accounting an advisory network RSM finding that nearly a third of European businesses are still not compliant, let alone international operators, Bahrain’s own personal data protection law has now also come into effect – with a similar level of inaction and misapprehension being reported locally.

“Whilst a few organisations in Bahrain have embarked on the implementation of the law, the wider market has yet to come to terms with firstly acknowledging the law and secondly meeting the compliance requirement,” said Bahrain KPMG partner and head of risk consulting Jeyapriya Partiban in a Gulf Daily News report shared on Zawya. “Most organisations in Bahrain still do not fully appreciate the impact of non-compliance and privacy breach.”

According to the new rules, any individual who processes sensitive personal data in violation of the Personal Data Protection Law (PDPL) – which covers the collecting, storage, use, disclosure and disposal of personal data and appropriate consent – could face criminal penalties of up to a year in prison and/or fines in the range of roughly $2,600 and $52,000. The new laws apply to both businesses operating in Bahrain and those which have their data processed locally.

Companies remain unprepared as Bahrain data law comes into effect

“All organisations in Bahrain will need to be aware of the requirements and specific stipulations of the law and will need to ensure that appropriate processes and protocols are in place to protect the personal and sensitive data of all their stakeholders,” said Partiban, adding that “While the authority is yet to be formed, the requirement for compliance doesn’t get impacted as the new law is a nationwide law that has been enacted by a Royal decree.”

In addition to criminal liabilities for firms, victims of unlawful data handling – such as being denied the right to access their own personal information – may be entitled to compensation. Partiban continued; “Every data subject in Bahrain has the right to know what personal and sensitive data relevant to them is being collected and what it is being processed for. They also have the right to ensure accuracy of the information and where and for how long it is being stored.”

With the laws being enacted in the middle of last year, KPMG in February hosted a PDPL business awareness seminar with around 50 key officials from regulatory bodies and public-sector organisations in attendance. Still, despite such efforts from consultancies previously, RSM in an earlier survey found that 90 percent of European businesses were unprepared for the GDPR just six months out from implementation, with numerous big-name companies caught out since.

“The law aims to create a culture and mindset that respects and protects personal data and hence the privacy of others,” said one of the bill’s architects Jameel Al Alawi at the KPMG seminar. “This is a concept which has been developing worldwide especially since the recognition of the Right to Privacy which is the 12th Fundamental Right under the 1948 Universal Declaration of Human Rights and has been increasingly gaining traction in recent years.”