Some of you may know that I have been on a campaign to protect data, personal data specifically, from misuse and my demands for legislation to strenuously protect that data to prevent its misuse, and to enact stern penalties on those who do misuse personal information.
On August 1, 2019, the Bahrain’s Personal Data Protection Law (PDPL) comes into effect. And it seems to address my raised concerns, which is a relief not just for me, but for everyone in Bahrain.
The issue is, although the law will come into effect and obviously organisations large and small will be held liable for its implementation, the Data Protection Agency doesn’t actually exist! More-over, no ministry or minister has been put in its charge. It’s just 22 days for the law to come into effect, and it looks like its going to be a difficult breach birth.
In any case, to introduce the law and to help businesses understand their responsibilities and make arrangements to stay within its limits, the Chamber of Commerce held a seminar this morning at its premises which was really well attended. The number of people attending is a testament on how businesses in Bahrain are seriously taking this matter. The presentation was done by keypoint‘s Mr Srikant Ranganathan, their senior director of IT consulting and it was quite comprehensive.
What is this law and what does it contain? keypoint and KPMG have good short guides which are worth reading (click the links to download pdfs). From keypoint’s document:
The PDPL require a range of changes to the way businesses process personal data in Bahrain. Entities are required to seek prior approval from the relevant data protection authorities (DPAs) when collecting, processing and storing personal data. The PDPL imposes new obligations on how businesses manage data, including ensuring that personal data is processed fairly, that data owners are notified when their personal data is collected and processed, that collected personal data is stored securely, and that data owners can exercise their rights directly with businesses.
There are also hefty fines for breaching the law and its provisions, some criminal and others are administrative and are cumulative:
The PDPL enforces a range of criminal and administrative fines:
- Criminal offences include the processing of sensitive personal data, the transfer of personal data outside Bahrain, and the failure to notify as required – fines of up to BD20,000 or imprisonment for up to one year
- Administrative fines – up to BD20,000 (one- off fines) or daily penalties of up to BD1,000 (may increase for repeat offences)
The law provides for the protection of “personal data” and what it terms “sensitive personal data“. These are defined as:
Personal data: Any information of any form relating to an identified or identifiable individual, either directly or indirectly, particularly through personal ID numbers or physical, physiological, intellectual, cultural or economic characteristics or social identity.
Sensitive personal data: Any personal information that reveals – even indirectly – an individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation or criminal record – and any data related to health or sexual activities.
I think this is really good news for all of us. Finally we have a law – once its Agency actually comes into existence – that will protect our data. And this one is actually stricter than the European GDPR, which is also good news not only for individuals, but also for businesses wanting to establish entities in Bahrain. This is such a crucial issue, that if trust is established for the sanctity of this sensitive information, businesses will want to establish and invest in this country. Read the article by Khaled Alrumaihi of the EDB which explains this issue more.
The obligations of this law forces companies to be better and respect personal information, something which they have not been able to do because of the non-existence of any penalties for misusing collected and processed information. For instance, businesses routinely demand your national ID number (CPR) without having to have any conceivable reason to do so. Also, they would insist on getting your mobile number, but never tell you that they will be using both to send you unwanted marketing messages. With this law, they have to get your express approval before using your data, and you can demand that they show you what data they have in their databases about you, something you can demand that they delete it and they have to oblige. Beautiful. I look forward to the day where we can gain access to a building – for instance – without having to surrender our ID card first. This to me is not only scary (as it is open to misuse) but is also disgusting.
Before any organisation can collect and process your data, they have to gain the express permission of the DPA (when it is formed, of course! now we’re in limbo) which has a plethora of requirements before permission is granted, chief amongst these of course is the assurance that the organisation will look after and secure your data. I wonder how they will deal with cold stores who provide the service of printing the data contained in your national ID card! That too is a very worrisome affair. Making such data so easily available must ring bells.
So what are the obligations under this law?
The key obligations are:
Many of the obligations placed on “data managers” (controllers) will be familiar to organisations that operate under data protection laws in other parts of the world, including requirements to process data fairly and lawfully, to collect personal data for legitimate, specific and clear purposes and to ensure that data is adequate, relevant and not excessive as to the purpose for which it was collected.
Data cannot be processed without the consent of the relevant individual (data subject) unless it falls within one of the five grounds for processing in Article 4 of the Law. These grounds include the performance of contracts or legal obligations, protecting the data subject’s vital interests and safeguarding the data controller’s legitimate interests. There are derogations for the processing of personal data for journalistic, artistic or literary purposes and more stringent rules applying to the processing of “sensitive personal data” (i.e. personal data that directly or indirectly reveals racial or ethnic origin, political or philosophical views, religious beliefs, trade union membership, criminal record, health or sexual condition).
One interesting feature of Bahrain’s legislation is the role of the ‘Data Protection Supervisor’. This is an accredited third party that may be appointed by data controllers at their discretion or, in some cases, at the direction of the data protection authority. The Data Protection Supervisor must exercise its role in an “independent and neutral manner” (unlike, for example, the data protection officer appointed by European entities under the GDPR). Its responsibilities include monitoring and verifying the data controller’s compliance with the law, supporting the data controller in exercising its rights and performing its obligations, maintaining a register of processing, and coordinating between the data protection authority and the data controller.
The Law prohibits the transfer of personal data outside Bahrain to jurisdictions that are not approved by the data protection authority unless the data subject provides consent or the transfer falls under a specific derogation, including transfers necessary for the performance of contracts, protection of the data subject’s vital interests or preparing, pursuing or defending a legal claim. The Law also requires data controllers to enter written contracts with third parties that process personal data on their behalf (data processors). However, there is no mandatory data breach notification provision in the Law. [source: Clyde & Co]
What should entities do now?
According to keypoint:
To comply with the PDPL, organisations must:
- Determine what personal data they acquire and process
- Show they meet the requirements for processing personal data
- Apply measures to protect data against unintentional or unauthorised destruction, accidental loss, unauthorised alteration, disclosure or access, or any other form of processing
- Show how they ensure confidentiality when processing data
- Appoint data protection supervisors to liaise with, or report to, the DPA as and when required
I’m sure there are quite a number of steps to action before it becomes the norm for people and entities to value the privacy of information, and as importantly, to make it a habit to seek approvals before using such sensitive data. It will also be a good day when people in Bahrain object to blindly hading over their personal information including their ID card to anyone who asks.
One thing that I would like to see added to this law immediately is to require entities who suffer any breach of such information to notify their user-base whose information they were entrusted with, and to make public their findings immediately. At the moment, they are not required to divulge any breaches, which – to me at least – impacts the trust that this whole operation requires.
This law is very welcome.
Now I’ve got to go and ask specific permission of those in my marketing database that they would actually like to hear from me from time to time. I won’t be offended if they choose to unsubscribe. I’ll just work harder at gaining their trust and to provide them enough value for them to willingly subscribe to my marketing efforts.
Well done Bahrain. It is high time that we have such a law in place.
I just hope its implementation will be strictly enforced, and that it doesn’t end up just ink on paper.