Bahrain introduces Personal Data Protection Law but is business ready?


Experts fear that enterprises in the Persian Gulf state of Bahrain are not adequately prepared to meet tighter data privacy standards enshrined in new data laws.

The recently-activated Personal Data Protection Law (PDPL) obliges organisations to obtain consent from consumers to harvest, process and store personal data. Consent will also have to be obtained for the use of private data for commercial reasons.

Bahrain’s citizens now have the right to choose whether or not they share their details with local businesses in the island state. Such details include smart card and mobile phone numbers, health data and more personal information regarding specifics of race, ethnicity, political views, religion, criminal histories and union affiliations.

While the new law has gone live, the state has not made any announcements about the implementation of a new Personal Data Protection Authority, or how this authority will regulate and enforce the new privacy legislation.

Jeyapriya Partiban, risk consulting partner at KPMG Bahrain, said:

“While the authority is yet to be formed, the requirement for compliance doesn’t get impacted as the new law is a nationwide law that has been enacted by a Royal decree.

“All organisations in Bahrain will need to be aware of the requirements and specific stipulations of the law and will need to ensure that appropriate processes and protocols are in place to protect the personal and sensitive data of all their stakeholders.”

Ms Partiban underlined how the new legislation was clear regarding protection, privacy and disclosure requirements.

“Whilst a few organisations in Bahrain have embarked on the implementation of the law, the wider market has yet to come to terms with firstly acknowledging the law and secondly meeting the compliance requirement,” she added.

Residents and workers in Bahrain and local firms will have to comply with the PDLP. The laws will also govern businesses and individuals who do not reside on the island but who have their data processed from the capital Manama.

Ms Partiban continued:

“Every data subject in Bahrain has the right to know what personal and sensitive data relevant to them is being collected and what it is being processed for. They also have the right to ensure accuracy of the information and where and for how long it is being stored.

“Most organisations in Bahrain still do not fully appreciate the impact of non-compliance and privacy breach on both individuals and organisations, which is even more critical given the increasing reach of Bahrain businesses globally,” she added.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.