A recent report from Protiviti, the Middle East Region’s member firm, reveals that a mere 21% of organizations within the GCC have successfully implemented functional data privacy programs. The study, conducted through a survey, sheds light on the challenges faced by these organizations as they transition from the design phase to the implementation stage of their data privacy initiatives. These challenges encompass tackling regulatory prerequisites and potential legal ramifications associated with non-compliance.
Ranjan Sinha, Managing Director of Technology & Digital Consulting at Protiviti, commented on the survey’s release, emphasizing that data privacy has become a paramount concern worldwide, extending to the GCC region. The report serves as a snapshot of the current state of data privacy programs in the area and offers guidance for organizations to enhance their privacy protocols, adhere to regulations, and safeguard sensitive customer information.
The report indicates an uptick in the execution of privacy programs across GCC nations, with 56% of respondents citing regulatory demands as the primary driving force. Maintaining consumer trust and fulfilling contractual obligations were also noted as important motivators. Despite this, the findings underscore a lack of coherence in the implementation of data privacy initiatives. Ownership and responsibility for these programs are dispersed throughout organizations, with only 27% of entities having dedicated data privacy departments. Notably, 40% place data privacy responsibilities under the purview of their information security departments. The report urges organizational leaders to establish clear roles, responsibilities, governance structures, and allocate adequate budgets for data privacy programs.
Niraj Mathur, Managing Director of the Security and Privacy Practice at Protiviti, emphasized the need for a customized approach to privacy. Drawing from global and GCC-specific experiences, Mathur advised that organizations consider their unique business contexts, existing capabilities, and risk tolerances when formulating data privacy strategies, as gaps during implementation can lead to severe consequences due to legal penalties and reputational damage arising from eroded customer trust.
Maintaining awareness of the locations of personal data is pivotal for effectively safeguarding against breaches and responding promptly. The study underscores that 76% of survey participants perceive data visibility as the primary challenge in upholding robust privacy programs. Additionally, around 75% foresee substantial investments this year to bolster the Governance, Risk Management, and Compliance (GRC) aspects of their privacy programs. This anticipation is fueled by the expectation that regulatory bodies will initiate regular audits and inspections to ensure organizations’ adherence to privacy regulations, akin to the introduction of prior cybersecurity regulations. Remarkably, 43% of organizations are yet to allocate a budget for privacy programs.
Managing the multitude of data in play is a complex endeavor, encompassing tracking and monitoring the information collected, processed, and stored by organizations. While recognizing the transformative role of the cloud in digital advancement, organizations in the region remain concerned about cloud security. As per the survey, 67% of respondents harbor reservations regarding cloud service providers’ ability to maintain transparent visibility over personal data.
In conclusion, the survey report urges organizations to undertake thorough data discovery exercises to identify and map the journey of personal data within their environments—covering collection, storage, processing, and transfer. A strategic and proactive approach to data privacy journey planning is recommended, taking into account legal and regulatory requisites, privacy risk management, employee training and awareness, and data breach management.
The complete report can be accessed here. The study, spanning several months, encompassed more than 100 organizations spanning diverse sectors, including BFSI, Enterprise, Telecom, and others.