MANAMA: A cookie-cutter approach in terms of compliance readiness with the National Personal Data Protection Law (PDPL) will be setting up companies to fail, a leading expert has warned.
According to Jeyapriya Partiban, who is a partner and the head of risk consulting for KPMG in Bahrain, data protection is more than just simply protecting data; it is about moderating a delicate balance between people and organisations collecting, processing and profiting off their data.
The statement comes a day after a royal decree was issued appointing the Justice, Islamic Affairs and Endowments Ministry as the administrative entity that assumes the duties and powers prescribed for the protection of personal data authority, including monitoring and enforcing compliance within the marketplace.
The power and perils data protection have to offer organisations from a strategic perspective will boil down to their perspective towards managing internal processes linked to data protection, she said.
It could be either viewed purely as a check box exercise for compliance purposes; or as a core part of the organisation’s strategic objective leading towards data privacy as a way of life.
All organisations will need to seriously consider their processes for the personal data they collect, process, manage, store and have overall access to.
This will also include the organisations’ strengthening their first line of defence, i.e. their people, by making sure all their employees who are involved in processing and accessing personal data are trained appropriately, she said.
“The Bahrain law is future focused and is a valuable barometer for all the new national/industry laws and regulations in terms of understanding that data protection is not a quick-fix ‘check-box’ exercise, and the perils of treating it so, could lead to an organisation becoming a critical statistic in terms of them being penalised for a breach in privacy.
It is also vital that organisations understand that a “blanket” disclaimer/disclosure-based approach is akin to treating cancer with a band-aid; and the approach needs to be at a “Privacy by Design” level when it comes to existing processes and procedures (including existing data) that involves the collection, storage, processing and disposal of data.
According to her, this includes a risk-based mindset right from considering potential impact that may arise due to knowledge, skills, information and authority to operate relevant policies and procedures of risk control.
Data protection and privacy is an organisational mindset and behavioural-based process which needs to be treating the issue as a core business strategy instead of a mere compliance requirement.
There is an inherent misconception that data protection is a European concept, and that there is only one set of regulations that is globally applicable that will impact organisations.
However, contrary to this, there are over 120+ countries around the world that have national data protection frameworks that are all diverse and designed to protect individual’s data and their rights.
In fact, the PDPL is unique and has certain key articles that are exclusive to Bahrain. Even the scope definition as a national law is broader than the GDPR in some respects, said KPMG.
Copyright 2019 Al Hilal Publishing and Marketing Group Provided by SyndiGate Media Inc. (Syndigate.info).
