Qatar Personal Data Privacy Protection
The Trust Challenge

Key Obligations & Consequences

The Law has several provisions that will have a far-reaching effect on how a company collects, processes and stores personal data.

Pointer

Individual Rights – The New Law establishes the right of an individual to privacy over his or her personal data. The individual is granted rights to.

Pointer

Review, alter or delete their personal data at any time.

Pointer

Individual may request a copy of their personal data after making.

Pointer

A payment that does not exceed the value of the service provided.

Pointer

Withdraw approval at any time.

Pointer

Object to the processing of their personal data, if it is unnecessary for the purposes for which it was given or is discriminatory.

  • Obtain the approval of the individual before processing their personal data, unless they can show it is necessary to achieve the controller’s (or the 3rd party to whom the personal data is sent) legitimate purpose.
  • Obtain explicit consent from the parent before processing any personal data of a child.
  • Obtain approval of the Ministry of Transport and Communications (MTC) before processing any “personal data of a special nature,” which includes ethnic origin, health, physical/psychological state, religious beliefs, marital relationships and criminal offenses.
  • Notify the individual before processing (or allowing a 3rd party to process) personal data. This notice shall include the legitimate purposes for the processing, a description of the processing activities and the degrees of disclosure to be made.
  • Conduct direct marketing only after approval of the individual, which can be withdrawn, and must include the identity/address of the sender. (See also the Anti-Spam regulations issued by the Communications Regulatory Authority in November 2017).
  • Notify the individual and the government of any breach of personal data that would result in serious damage to the privacy of the individual.
  • Notify the individual of a disclosure of any inaccurate personal data.
  • Notify the controller immediately after it becomes aware of a breach or threat.
  • Take necessary and appropriate precautions to protect personal data from incidental or illegitimate loss, damage, modification, disclosure, access or use.
  • Complaint Process – An individual may lodge a complaint with the MTC’s privacy department, who will render a decision and, as needed, require corrective action. That decision may be appealed within 60 days. MTC’s minister will have 60 days to either grant the appeal, or a failing response, the decision is determined final.
The Trust Challenge

Key Challenges in brief:

You can only protect what you know you have. Review and map your internal and external data flows and ensure appropriate privacy mechanisms are in place.

In order to ensure proper consent is obtained, privacy notices, consent forms and processes should be reviewed and amended accordingly.

The New Law introduces new rights for individuals. Organizations must put in place procedures allowing individuals to effectively exercise their rights.

Compliance with the New Law requires precautions be built-in to products and systems to protect individual’s personal data. Procedures should be reviewed and amended, if existing, or developed and formalized, as necessary.

Organizations must take appropriate technical and organizational data security measures, including comprehensive security reviews, training and testing/ auditing of anyone handling Personal Data (including 3rd parties). It is important that businesses understand the required security measures and, if necessary, modify their breach management process to become compliant.

The New Law requires the reporting of data breaches to the individual and supervisory authority. Businesses must implement an appropriate breach notification plan.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Oman's PDPL requires that companies uphold the principle of “purpose limitation”.

  • Fairness/transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Security
  • Accountability
Pointer

The regulation requires the organization to incorporate reasonable practices to fulfill the administrative, technical, and physical security.

Pointer

The DPA defines seven basic data subject rights: the right to be informed about how your data is used, to access personal data, to correct data, to have data deleted, to stop or restrict data processing, to data portability, and to object to how your data is processed.

Pointer

Users also have additional rights and protections under the DPA when their data is processed through automated decision-making or profiling algorithms.

Pointer

The DPA requires preparation of Incident Reporting & Breach Management Workflow.

Pointer

DPA requires the appointment of a Data Protection Officer for certain organizations, as well as maintaining a detailed record of processing activities.

The Trust Challenge

Key Challenges in brief:

The following are the issues created by oman's PDPL laws that the majority of organizations face:

Pointer

Under the PDPA, the data controller has to maintain the following key records, amongst others.

  • Personal data collected (“Data Inventory”).
  • Retention period for the personal data (“Data Minimization”).
  • Rights and methods in accessing the personal data (“Data Subject Rights”).
Pointer

Cross border data transfer Requirements: Under Article 23, any organization can transfer data collected within Oman outside the country if it follows the directives issued by the Ministry of Communications. However, such transfers are prohibited if there is a chance that the transfer of such data may cause harm to a data subject under this law.

Pointer

Data Breach Requirements: Per Article 19, the data controller is obligated, in the event of a breach of personal data, which leads to its destruction, alteration, disclosure, access, or unlawful processing, to inform the Ministry and the owner of personal data about the breach.

Pointer

Fulfillment of Data Subject rights: Data subjects have a series of rights conferred upon them by the oman's PDPL, for instance right to know, right to data portability, right to be forgotten, individual data subjects raise various requests pertaining to their individual data subject rights. PDPL for.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party “Privacy Intelligence” (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

“Data Minimization”: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization legal requirements. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets for excess data using Machine Learning, removing unnecessary and irrelevant personal data. Removing this data reduces costs by eliminating operational inefficiencies and ensuring compliance with regulatory mandates.

Pointer

“Right to be Forgotten (RTBF)” with Assured Deletion: With TurtleShield RTBF, businesses can easily comply with the CTDPA 's right to deletion by giving them the ability to delete data on request with recorded validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: The assumption that data only exists in databases and nowhere else is often not reality, as customer data exists in many sources. Using Machine Learning and AI we predict where PII can exist, giving the ability to quickly fulfill data subject requests across the totality of large datasets, improving the speed and completeness of CTDPA request compliance.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us