A prominent trading hub, a pioneer in regulatory and legal reforms, and a gem amongst the GCC States. In tandem with Bahrain’s 50th national day celebrations, we are excited to introduce the latest edition of Law Update, where we explore the significant development that the Kingdom of Bahrain has achieved as a nation on the regional and international stage.
In this standout Bahrain Focus, our lawyers provide insights and expert commentary on pertinent legal updates within the country. From an interview with an industry leader discussing the Bahrain real estate market to an insightful overview around alternative working arrangements and its economic effect. In addition, you will find several general articles along with real-life judgments that provide context for the legal landscape across the entire region.Take a read of the edition
Using appropriate technical and organisational measures to ensure the security of personal data is a common requirement under data protection regimes, including, most notably, the European Union’s General Data Protection Regulation (“GDPR”).
Whilst technical and organisational measures are integral to ensuring security in processing and preventing security breaches, the requirement is usually deliberately left vague by regulators in order to accommodate for the transient, fluctuating nature of developments in cybersecurity, technology and innovation. Consequently, data protection regimes prescribe that security measures must be benchmarked to the “state of the art”, without detailing what this may actually mean.
It is against this background that Bahrain’s Data Protection Authority (“Authority”) has issued a Draft Order regarding “the conditions to be met in the technical and organisational measures that guarantee protection of data” (“Draft Order”). In contrast to the GDPR, the Draft Order goes considerably further in specifying what security measures must be implemented. This article aims to shed light on Bahrain’s evolving data protection landscape, with a focus on the technical and organisational measures to protect data.
The primary legislation in Bahrain is the Personal Data Protection Law (Law No.30 of 2018) (“PDPL”) which came into force on 1 August 2019. Currently, not all provisions of the PDPL are effective; the resolution issuing the PDPL stipulates that the Authority’s Board of Directors (“Board”) shall issue the necessary implementing regulations for the PDPL’s effective application.
Pursuant to the above, the Authority (currently, the Ministry of Justice, Islamic Affairs and Awqaf) has now issued a series of draft orders for public consultation, which include the Draft Order (note that the consultation on the Draft Order ended on 30 June 2021).
The Draft Order is intended to supplement Article 8 of the PDPL (Security of Processing) as further detailed below. This Article explicitly assigns the Board to “issue a regulation prescribing specific conditions to be met in the technical and organisational measures”.
Those familiar with other data protection legislations will find that the majority of the provisions in the PDPL are drafted in comparable terms to the GDPR. However, the Authority’s Draft Order proposes to expand the PDPL beyond its European equivalent, as it prescribes specific technical measures to be implemented by data controllers.
While the term “technical and organisational measures” appears approximately 89 times within the GDPR, it is not definitively defined. Rather, Article 32 of the GDPR on Security of Processing states that, in implementing technical or organisational measures, organisations must “take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.”
Similarly, Article 8 of Bahrain’s PDPL on Security of Processing requires organisations to implement appropriate technical and organisational measures, and to ensure an appropriate level of security “taking into account the latest technological security measures, the associated cost, the nature of the data to be processed and the potential risks involved.”
With reference to the above, whilst organisations subject to the PDPL are required to take into account the risks involved, this brief reference to “risks” within the PDPL must not be mistaken for a “risk-based” approach in the European sense, which entails a proportionality assessment before adopting security measures.
Unlike the GDPR, where the only technical measures expressly referred to are encryption and pseudonymisation, Article 21 of the Draft Order requires data controller to implement generally accepted best practice/ technical measures, including but not limited to: access control, change management process, password protection, device authentication, data and hardware encryption solutions, anti-virus applications, wifi security, firewalls and Network Access Control (NAC) which is an approach to computer security that attempts to unify endpoint security technology (e.g. antivirus, host intrusion prevention, and vulnerability assessment).
Other measures prescribed in the Draft Order include the use of dummy data when developing electronic information systems in the organisation to protect personal data from loss or damage.
A significant “organisational measure” imposed by data protection legislations such as in the GDPR is the requirement to appoint a Data Protection Officer (DPO). As stipulated above, the GDPR follows a risk-based approach; accordingly it only requires a DPO where there is ‘high risk processing’. In contrast, the PDPL – together with the Draft Order – is proposing to create three overlapping (non-mandatory) compliance roles. The compliance trio include:
The Draft Order proposes that every data controller maintains an insurance policy issued by one of the licensed insurance companies in Bahrain, in order to cover compensations resulting from violating the privacy of data subjects and any damages or expenses incurred by data subjects as a result of that violation. The insurance amount is yet to be determined.
The Draft Order departs from the European approach to data protection through adopting a more prescriptive approach for the technical and organisational measures that are required to ensure the security of personal data.
Whilst ensuring the security of personal data is a fundamental aspect of data protection, a prescriptive one-size-fits-all approach will potentially disproportionately increase the compliance burden for small and medium-sized enterprises.
For further information, please contact Andrew Fawcett.