Skip to main content

UAE data protection law, similar to GDPR, likely landing this year

The UAE is looking at implementing a data protection law, similar to EU’s introduction of General Data Protection Regulation (GDPR) in 2008, as part of the UAE National Cybersecurity Strategy.

TRA has launched the 2020-2025 strategy as the country is entering the fifth-generation era in a bid to enable swift and coordinated response to cyber incidents in the UAE.  “Part of the strategy is that data privacy is crucial to the cyber and the UAE is regulating and drafting a data protection law. We will look at the best performing practices performed worldwide; GDPR will be one of the inputs to it. We want to make sure that whatever regulations are put, are easy to be implemented across different sectors,” Mohammad Al Zarooni, Director of Policies and Programs Department at Telecommunications Regulatory Authority (TRA) of the UAE, told TechRadar Middle East, at an event.

Bahrain has launched its Personal Data Protection Law and more countries in the region are expected to follow. Phil Mennie, director for digital trust at consultancy firm PwC, said that the demand for privacy expertise exploded after the introduction of GDPR.

“Large organisations are impacted by the GDPR but we observed, unlike in Europe where privacy has been a topic for a very long time, in the Middle East there is a lower understanding of how privacy impacts organisations,” he said.

Mennie said that the UAE law is expected this year and in Saudi Arabia, it is expected this year or next year.

GDPR has a ceiling of 4% of global annual revenues or up to 20,000 euros if a breach is not reported within 72 hours. Regarding this, Al Zarooni said that the authority needs to protect people’s data as regulation and, at the same time, doesn’t want to put a lot of burden on the economy to be compliant with such regulations.

Moreover, he said that there are some talks about a unified GCC law but “I believe that most of the regulations worldwide will be more or less the same, some will be more stringent and some will be relaxed.  One unified GCC law might be good but it will be challenging to come up with”.

Nine critical infrastructures get priority

As part of the new UAE cybersecurity strategy, Al Zarooni said that 60 initiatives will be executed in a three-year timeframe but importance will be given to nine critical infrastructures such as government, energy, ICT, electricity and water, finance and insurance, emergency services, health, transportation, food and agriculture, through five pillars.

These pillars are:

  • To enhance cybersecurity laws 
  • Regulations to address all types of cybercrimes
  • Secure existing and emerging technologies and support protection of SMEs by developing essential cybersecurity standard for SMEs, 
  • Mandate cybersecurity implementation certification for government suppliers, 
  • Build a one-stop portal for SMEs to enable them to implement the standard.

Moreover, Al Zarooni added that some of the frameworks for the emerging technologies such as internet of things, cloud computing, AI and Blockchain are already in the drafting phase and depends on the mass execution of such technologies within the country.

“The cybersecurity law can’t be a standalone and will be there to strike a balance between the usage and the benefits versus the rest of the technologies,” he said. The reason for this strategy, he said, is due to the rising cybercrimes in the country.

Lucrative opportunities

According to research firm Cybersecurity Ventures, cyberattacks are the fastest growing crime and are increasing in size, sophistication and cost. Cybercrimes are expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, while the cybersecurity market is expected to experience a 12-15% year-over-year growth through 2021.

The authority is enabling the ecosystem to capture the huge cybersecurity opportunities available – AED 1.8b UAE cybersecurity market and the AED 18b Middle East and North Africa market.

Hamad Obaid Al Mansoori, Director General of TRA, emphasised the need for a national cybersecurity strategy as a main element in risk prevention and preparedness for security challenges in cyberspace.

“If we want to draw a future perception of the UAE, years from now, we would see the features of the smart city where millions of devices and platforms are connected, producing massive amounts of data, many of which will be at risk of piracy or privacy violation,” he said.

He added that the strategy has been developed based on the analysis of more than 50 sources of indicators and international publications, in addition to working with a team of international experts and benchmarking with 10 leading countries in cybersecurity systems.

Moreover, he said the strategy will also work on developing capabilities of more than 40,000 cybersecurity professionals, by encouraging professionals and students to pursue a career in cybersecurity, developing necessary cybersecurity capabilities to meet aspirations of the country, and fostering an ecosystem of cybersecurity training providers.