Data Privacy Day 2021: seven top tips for organisations on protecting personal data
Protection des données et de la vie privée
Qatar was the first country in the Middle East to introduce a national data privacy law. The local data protection authority has recently issued a series of regulatory guidelines that both clarify the existing legislation and introduce new compliance requirements for data controllers. In this article, we provide an overview of the key changes to the data protection regime and some specific considerations for all organisations doing business in Qatar.
Qatar was one of first countries in the Middle East to introduce a standalone data protection law: Law No. 13 of 2016 Concerning Personal Data Protection (the PDPL) was issued more than four years ago. The PDPL incorporated concepts familiar from other international privacy frameworks at the time.
In November 2020, the Compliance and Data Protection Department (CDP) of the Ministry of Transport and Communications issued 14 regulatory guidelines on the PDPL. Notably, the guidelines introduced new concepts that are not expressly addressed in the PDPL. Many of these concepts are aligned with principles in the EU General Data Protection Regulation, which came into force in 2018. These include requirements for controllers to carry out data privacy impact assessments and to maintain records of processing activities.
The guidelines are likely to be a precursor to increased enforcement activity by the CDP. Compliance with these new measures may, depending on their current internal data protection policies and procedures, require substantial effort for organisations doing business in Qatar and failure to do so could lead to fines of up to QAR 5,000,000 (USD 1,370,000).
There are currently 14 guidelines covering a range of different privacy compliance issues. The guidelines are intended to clarify obligations under the PDPL and, in many cases, they go further by introducing new requirements.
We set out below the key takeaways that organisations need to consider incorporating into their business practices to ensure continued compliance:
Since health information is considered special nature personal data and requires permission from the CPD, organisations that process such data (e.g. medical leave, Covid-19 symptoms, vaccination status or sick benefits of employees) will need to submit a Special Nature Personal Data Form with the CDP. Organisations will need to show that they have a permitted reason as well as an “additional condition” to process the personal data. The guidelines state that consent is not advisable as a legal basis for processing for employees, meaning that employers should try to avoid relying on consent when they collect and process personal data of their employees. Organisations should therefore assess their employment contracts and legal grounds for processing employee data.
Employers will also need to conduct DPIAs when processing employees’ personal data as this is considered an example of processing that “may cause serious damage” by the CPD. Employers should undertake DPIAs with respect to their processing of employee data, identifying measures to reduce risk of serious damage and recording their decision-making.
Organisations operating in Qatar must now comply with a more detailed and comprehensive regulatory framework. The new guidelines clarify many of the questions that existed under the PDPL.
The release of the CDP guidelines has generated a number of new requirements that will require a fundamental shift in the approach to data protection compliance for many organisations. Multinationals that already comply with global standards will also need to evaluate their data privacy frameworks to ensure local compliance.
The creation of an effective data protection framework requires an enterprise-wide approach that will typically necessitate the involvement of a number of business units, including HR, marketing, sales, customer service and IT. Our recent briefing and video for Data Privacy Day 2021 provided some tips for establishing a privacy framework and our leading Middle East privacy team can support you on the journey to compliance in conjunction with our established on-the-ground presence in Doha.