Operationalizing data privacy programs a challenge in GCC

10 October 2023 Consultancy-me.com 3 min. read
More news on

Despite growing awareness and regulatory pressure around data privacy, just one in five organizations in the Middle East have established an effective data privacy program, according to research from Protiviti.

With consumers increasingly concerned about how businesses handle their personal data, and the rise of cyber attacks including the breach of personal information, data privacy is emerging as a top concern and priority for organizations.

Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure. It focuses primarily on ensuring that individuals have control over their personal data and that it is handled in a way that respects their privacy rights. The field also prevents the misuse of data, such as identity theft, sale of data, unauthorized profiling, or discrimination based on personal data.

Key consumer expectations

“Data privacy is now one of the critical concerns for organizations worldwide, and the GCC region is no exception,” said Ranjan Sinha, Managing Director at Protiviti. “Regulatory bodies have recognized this trend, as evidenced by multiple privacy laws and regulations at a regional and national level.”

Indeed, data from Gartner estimates that 75% of the word’s population will have its personal data covered by modern privacy regulations such as the GDPR in Europe and the Data Protection Law in the UAE).

Not surprising then is that the implementation of data privacy programs within corporates is in full swing. Protiviti’s survey, which surveyed 100+ organizations across the Gulf Cooperation Council, found that most organizations in the region have a privacy data strategy in place. Further, around 75% of the respondents highlighted that improving the privacy program’s needs are a key area of investment in 2023.

Regulatory Landscape

Over half (56%) of respondents said that regulatory requirements are the primary driver for increased implementation focus, followed by the need to maintain consumer trust and ensuring contractual obligations are honored.

Building more effective programs

At the same time, Protiviti’s report concludes that the journey to operationalizing data privacy programs is a serious challenge for most organizations. Only 21% of organizations surveyed said that their program is fully operational, while close to 3 in 10 said that they still have not passed the early planning phase.

“Our findings indicate a lack of coherence in data privacy implementation initiatives, as the responsibility and ownership for the program are dispersed throughout the organization,” said Niraj Mathur, Managing Director at Protiviti.


As an example of this, just 27% of organizations have dedicated data privacy departments. The report urges leadership to establish clear privacy-oriented roles, responsibilities, and governance structures and prioritize budget allocation for data privacy programs.

When doing so, Mathur added that organisations should take a wide lens. “Given our experience working with clients, a generic approach to privacy does not work. Organizations will need to consider their business context, current state, existing capabilities, and risk appetites while strategizing their data privacy program. Any gaps during implementing can have lasting impact due to stringent legal penalties and reputational risk from loss of customer trust.”

“It is important that organizations plan their data privacy journey by following a strategic and proactive approach that considers various aspects, such as legal and regulatory requirements, privacy risk management, employee training and awareness, and data breach management.”