Privacy Programs꞉ Balancing Compliance and Security

 In July 2023, South Africa’s Department of Justice was fined nearly ZAR5 million (approximately $280,000) under the country’s privacy law, Protection of Personal Information Act (POPIA), after a ransomware attack crippled its IT systems, exposing a dangerous lapse in cybersecurity due to expired antivirus and security tools. [1] This incident sent a clear message across the Middle East and Africa (MEA) that data privacy without strong security is a hollow promise. As governments across the region roll out robust privacy regulations, businesses face a dual challenge and are realizing that compliance alone is no longer enough.  

MEA countries are rapidly developing their own data protection regulations, often inspired by global standards. In the Middle East, GCC nations have shifted from various privacy provisions to dedicated laws. For example, the UAE enacted its first comprehensive Personal Data Protection Law (PDPL) via Federal Decree Law No. 45 of 2021, which came into effect on January 2, 2022. This law established a national data office and defined requirements for consent, individual rights, cross-border data transfers, and company obligations to protect personal data.

 Some practical aspects of data protection in the UAE are still evolving. As of early 2025, the full implementation of the UAE's PDPL depends on the establishment of executive regulations. [2] Meanwhile, Saudi Arabia's PDPL took effect in September 2024, and Oman's Data Protection Law became active in 2023, with compliance grace until 2025.