The Egyptian Junior Business Association (EJB) has outlined eight key steps to help companies comply with Egypt’s new data protection law.
The new law No 151 for 2020, which has been modelled largely on the EU’s General Data Protection Regulation (GDPR), was issued on 15 July 2020 to regulate Personal Data Protection.
EJB member Sherif Makhlouf said that the law provides a grace period of one full year for organisations to address and comply with its requirements.
It is applicable to all organisations that control or process personal data, which is defined as information that can be used to identify an individual. This includes the individual’s full name, picture, voice data and/or recordings, national identification number, or online identifiers.
A regulating authority will be established to take responsibility for protecting personal data, whilst also supervising and enforcing the Data Protection Law. The soon to be formed authority will be called the Personal Data Protection Centre (PDPC).
Makhlouf presented eight key steps organisations should take to ensure their compliance with the new regulations.
He noted that consent from the concerned individual is key, with importance on explicitly receiving clear consent of all users to collect their data and store it. Once collected, this consent must be documented, with the data subject allowed to withdraw their consent at any moment. Using opt-in forms and checkboxes is a common way of implementing such a requirement.
Limitation of data storage is now required, where organisations are expected to limit the processing and collection of data to only the necessary pieces of information. Personal data will not be retained by the organisation once the processing purpose is completed.
All users will now have the right to ask the company on the information it has about them, and what the company does with this information. In addition, users have the right to ask for correction, or even ask for the deletion of his or her personal data, which is known as “the right to be forgotten”.
When the company has the intent to process personal data beyond the legitimate purpose for which that data was collected, users must be asked for their clear and explicit consent. Once collected, this consent must be documented, with users aso allowed to withdraw their consent at any moment.
With digital marketing, especially whilst using email, SMS marketing or push notifications, it is very important for organisations to provide a valid and complete sender address. They are also required to indicate that the email or SMS is for marketing purposes, and most importantly offer a clear way for users to opt-out if they choose to.
Organisations must also maintain a Personal Data Breach Record, with users to be kept informed by the regulatory authority of any breaches in a timely manner. It is also required that organisations implement a wide range of measures to reduce the risk of attacks and breaches by hackers.
All organisations are required to assign a Data Protection Officer (DPO), who is to be registered with the PDPC. The DPO would have the responsibility to advise the company or organisation on compliance, as well as their internal training on such matters.
If organisations are collecting and processing data in the “personal sensitive data” category, they will need to be licensed from the newly formed PDPC.
Sensitive personal data consists of special categories of data that is related to the mental, psychological, physical, genetic or biometric of the individuals. It also includes financial data and data related to religious beliefs, political opinions, or criminal records. Information related to children is always considered as sensitive data.