Complying with Egypt’s New Data Protection Law

On 15 July 2020, Egypt joined the exclusive club of Middle Eastern countries with national data protection laws, publishing the Personal Data Protection Law (Law No 151 of 2020). The PDPL, which came into force on October 14, brought a wide range of new obligations for businesses.

What are the various rights under the Personal Data Protection Law?

Data subjects have:

• The right to know what personal data is being processed by whom, and to access the same;
• The right to know what personal data is being processed by whom, and to access the same;
• The right to correct, modify, delete, add or update his or her personal data;
• The right to limit processing of his or her personal data within a limited scope; and
• The right to be notified of any personal data breach involving his or her personal data.

Appointing a Data Protection Officer

The legal representatives of data controllers and data processors must appoint data protection officers. There are currently no exceptions for small organisations and entities that process small volumes of data. Further, it is to be clarified whether the data protection officer must be appointed locally or whether the officer hired internationally by a sister or parent organisation will meet the requirement.

Here is what businesses can do to prepare:

1. Appoint a DPO, define roles and responsibilities for data privacy and provide appropriate training to your staff who process personal data.
2. Prepare the list of data processing activities performed in your organisation.
3. Notify purpose and seek consent, whilst also implementing consent management procedures.
4. Review the individual rights and ensure that you fully understand the business impact of each. Respond when individuals ask about their personal data.
5. Review technical controls present in your organisation, to ascertain whether they are fit for purpose and support data protection requirements.
6. Establish processes, policies and procedures to enable an efficient data processing, and compliant digital marketing.
7. Establish data breach management process to detect, investigate and report possible personal data breach to the Authority.
8. Evaluate your contracts with data processors to meet PDPL requirements. The risks introduced to the data by third parties should be well understood and managed.
9. Review your cross-border data transfer mechanism. Protect your personal data when transferring overseas. Apply for a license (if applicable).
10. Communicate your data protection policies, practices and processes.

Licenses and Authorizations from the Data Protection Authority

Data controllers and data processors are required to obtain a license from the Data Protection Centre, which is the Egyptian data protection authority to be instituted. The centre which will have 90 days to decide whether to deliver a license to process data and specific authorizations relating to specific processing activities, such as international data transfers or the processing of sensitive data. Beyond the 90-day timeframe, the application will be considered rejected.

Helping You Build Resilience and Confidence

Marsh’s position as a global cyber leader is due to our highly credentialed and experienced professionals who are dedicated cybersecurity advisors, claims advocates, legal professionals and former underwriters. Our colleagues work together to deliver integrated solutions that help clients respond to the latest cyber threats.

To learn more about our cyber risk management solutions, contact:

SIMON BELL
Financial & Professional Lines Leader – MENA
simon.bell@marsh.com

PEPIJN DE JONG
Cyber Resilience Practice Leader - MENA
pepijn.de-jong@marsh.com

SARAH HAMLAT
Cyber Insurance Specialist - MENA
sarah.hamlat@marsh.com