Breaking down Egypt’s Data Protection Act
What exactly is the Data Protection Act and how is it going to affect business? Our friends at Sharkawy and Sarhan have outlined the main features of the draft legislation, which is currently on the House of Representatives’ docket for their fifth legislative session, and its repercussions for you and your business.
The draft Data Protection Act is concerned with the privacy and security of personal data, and would be applied to Egyptian citizens and foreign residents alike. It is essentially Egypt’s version of the EU’s General Data Protection Regulation (GDPR). The draft law would protect any personal data — your name, address, or photo, to name a few examples — if it leads to identifying an individual. The law would provide an additional layer of protection to sensitive data, such as an individual’s religion and his/her medical information. The act also enshrines your rights as they pertain to personal information, including right to ask that your data be deleted, and sets out obligations for organizations collecting or processing data.
The main features of the draft law that may affect you as a business:
- Limitations on organizations’ ability to collect, use, transfer, or retain personal data;
- Requirements to obtain a license and other fulfill other compliance stipulations, if data is controlled or processed (which is the case with all organizations);
- Regulations and stipulations for companies engaged in direct marketing.
Should you be worried about these regulations? The legislation covers any individual or business that collects, stores, processes, and/or transfers personal data for uses that are non-personal. The consequences for non-compliance are severe, ranging from imprisonment and fines, to revoking data-related licenses and publication of the criminal verdict in media outlets.
How can you get your house in order, and how much time do you have? The starting point is to track the data cycle from when your organization receives the data, through to it being processed and stored, and until the data is deleted. Next, make sure you comply with each of the data protection principles as they have been emptied into legal obligations (we delve into that more below). Document this in a policy and implement it — and don’t forget to train your people. Those included within the scope of the law will be expected to comply within 18 months from its issuance (assuming the executive regulations are issued on schedule).
Now that you have an idea of the main tenets, let’s look at the key data protection principles laid out in the act. We flesh out three of them below to give a clearer picture of what they entail. These are set in stone under the GDPR and mirrored in Egypt’s law:
- Lawfulness, fairness, and transparency;
- Purpose limitation;
- Data minimization;
- Storage limitation;
- Integrity and confidentiality (security);
Lawfulness, fairness, and transparency: The principle stipulates that you must not collect or keep any personal data in electronic or physical form. The only exception is for lawful purposes, including if the person whose data is being collected has given their consent, the relevant document is anonymized, the company has a legitimate reason to keep the data, or there is a legal or contractual obligation. In all these cases, you must reveal the purpose of the data collection and processing.
How to comply: Ask yourself why you are collecting this data and if you are also processing it, and make sure your reasons are legitimate. For example, think of a financial institution storing personal data to comply with KYC regs under anti-money laundering laws. Wherever possible, obtain the subject’s consent.
Accuracy: This is a fairly straightforward concept that requires you to ensure the data collected is correct, and that you correct any inaccurate data.
How to comply: Map your data, review it to make sure it is correct, and put in place procedures that allow data subjects to review their data and correct it. A simple example of this is someone changing their address: Either update the information, or note that the information you have is their last known place of residence.
Integrity and confidentiality (security): You need to take the necessary technical and organizational data protection measures to guard against breach of confidentiality, hacking, destruction, alterations, or damage to the personal data. Technical measures here include more than addressing cybersecurity risks — they cover procedures such as securely disposing of documents containing personal data and securing access to any location with documents or devices that can access the data. Organizational measures, meanwhile, include coordinating on security processes between relevant members of the company.
How to comply? Draft and implement a data security policy, and train your people accordingly. A registered data protection officer should also be appointed to regularly check, evaluate, and document the protection systems. Report any data leaks, should they occur.
What needs to change in the current draft? Data protection is good and eventually leads to a better business environment for all of us. But, we are mostly worried about the imprisonment sanctions which, as currently drafted, are extraterritorial. This represents a personal threat to senior executives in Silicon Valley and Seattle. We see this as a disabling threat that may cause some companies to reconsider their investments in Egypt. The draft law is essentially borrowed from the GDPR. But on sanctions, we seem to have lost our sense of where the world is going and decided to go in the opposite direction.
Corrected on 2 October 2019
The link was updated.