According to survey conducted by Protiviti Member Firm for the Middle East Region, a mere 21% of the organisations in the region have effectively established a data privacy programme. The report highlights the difficulties organisations face as they transition from design to implementation stage during a data privacy programme, such as addressing regulatory requirements as well as potential legal risks associated with non-compliance.
Commenting on the launch of the survey report, Ranjan Sinha, Managing Director, Technology & Digital Consulting, Protiviti, said, “Data privacy has emerged as a critical concern for organisations worldwide, and the GCC region is no exception. The survey presents the current state of data privacy programmes in the region and a roadmap for organisations to enhance their privacy practices, comply with regulations, and protect their customer sensitive information.”
As per the report there is an increase in privacy programme implementations across GCC countries with 56% respondents highlighting regulatory requirements as the primary driver along with the need to maintain consumer trust and contractual obligations as the other important driver.
However, findings indicate a lack of coherence in data privacy implementation initiatives, as the responsibility and ownership for the programme are dispersed throughout the organisation. Merely 27% of organisations have dedicated data privacy departments, while 40% assign data privacy as the primary responsibility of the information security department. The report urges organisational leadership to establish clear privacy-oriented roles, responsibilities, and governance structures and prioritise budget allocation for data privacy programmes.
According to Niraj Mathur Managing Director, Security and Privacy Practice, Protiviti “Given our experience working with clients across the globe and especially in the GCC, a generic approach to privacy does not work. Organisations will need to consider their business context, current state, existing capabilities, and risk appetites while strategising their data privacy programme. Any gaps during implementing can have lasting impact due to stringent legal penalties and reputational risk from loss of customer trust.”
Comprehending personal data’s locations is crucial for safeguarding and responding to breaches. Notably, 76% of survey participants highlighted data visibility as the main hurdle in maintaining effective privacy programmes. Approximately 75% foresee enhancing the Governance, Risk Management, and Compliance (GRC) requirements of their privacy programmes as a significant area of investment this year, anticipating that regulatory bodies will conduct routine audits and inspections to oversee organisation’s adherence to privacy regulations, similar to the roll out of cyber security regulations earlier. However, 43% of the organisations are yet to allocate a budget for privacy programmes.
With so much data at play, the ability to track and monitor all the information an organisation collects, processes, and stores remains a critical challenge as well. Organisations in the region recognise the critical role of cloud as a digital transformation enabler. Nonetheless, concerns over cloud security remain with 67% respondents expressing concerns about cloud service provider’s ability to maintain clear visibility over personal data.
Ultimately, the survey report calls upon organisations to undertake a comprehensive data discovery exercise to identify and map out the collection, storage, processing, and transfer of personal data within their environment. It’s important that organisations plan their data privacy journey by following a strategic and proactive approach that considers various aspects, such as legal and regulatory requirements, privacy risk management, employee training and awareness, and data breach management.
Access the complete report here.
Conducted over several months, the report sampled over 100 organisations spanning diverse industries, including BFSI, Enterprise, Telecom, and others.
Discussion about this post