With the deadline looming for the introduction of Bahrain’s new Personal Data Protection Law (PDPL), ACE Insurance Brokers, the GCC’s leading privately-owned insurance broking organisation, urges companies in the Kingdom to undertake cyber risk assessments to limit data exposure and ensure compliance.

The PDPL comes into effect on August 1 this year. It will be overseen by the new Personal Data Protection Authority which can impose hefty fines and penalties for non-compliance or data breaches.  PDPL has been widely welcomed by analysts as a key growth enabler, which will drive the Kingdom further into the digital economy and boost its competitiveness. 

“The law is a regional game-changer,” explained Simon Fisher, Senior Vice President at ACE Insurance Brokers, Bahrain. “Business owners are now forced to seriously consider the risks associated with dealing and safeguarding their customers’ data.”  

The Personal Data Protection Authority can issue orders to stop violations, including issuing emergency orders and fines while the law carries criminal penalties for businesses violating certain PDPL provisions. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data manager, or PDPL violations by a business’s data protection supervisor.  

One of the biggest concerns that businesses in the region will face as a result of the introduction of the law is keeping their clients’ data protected, not just through the management of their own systems, procedures and controls, but also by any party they outsource data management to – threatened further by the risk of external cyber threats, including viruses and hackers.

“The resulting fines for non-compliance and/or a data breach can be financially crippling (fines of up to BD 20,000 (US$ 53,200) or imprisonment for up to one year)

and that is without considering the operational impact any resulting cyber security attack can have on a business,” said Fisher. 

“The issue is brought into stark focus by a recent Ponemon Institute study which states that in 2017, organizations in the Middle East experienced  average data breach costs of US$ 4.94 million – and that’s without the hidden costs of productivity disruption, and reputational damage. A serious internal study of a company’s IT security risks is now an immediate and shrewd preventative requirement.”

The PDPL gives individuals rights as to how their personal data can be collected, processed and stored. It imposes obligations on all businesses that deal with customer data to manage and process personal data fairly and securely.

 ”As insurance brokers, with advanced knowledge of the subject, ACE can provide companies with  cyber insurance solutions to ensure they are protected, both financially, and operationally in the event of a breach.” 

“Change brought about by technology disruption is impacting business requirements across many industries. While it is challenging to predict risk before it hits, our team of IT security and insurance experts can read the signs and are keenly attuned to the factors affecting this region. We are therefore capable of advising clients on how to mitigate new risks and provide them with appropriate cover, whatever the industry” explained Fisher. 

ACE believes cyber insurance has an important role to play specifically in Bahrain’s vital financial sector. “Banks, for example, are required to have robust systems in place to protect customer data – now even more so with this new law.” Whilst financial institutions are not required to purchase cyber insurance, it is especially important for companies dealing with large quantities of Personally Identifiable Information (“PII”) to consider cyber cover in order to transfer any residual risk. This added protection allows organisations to enhance their competitiveness and speed of response in the event of a cyber attack, as well as help adhere to the Kingdom’s standing as a world-class financial centre,” said Fisher.   

ACE points out that cyber insurance won’t protect a business from being a victim of cybercrime and that it is just one part of an overall business strategy. However, it can help keep a company financially stable should a significant security breach occur. “As we are increasingly operating in a digitalised world, business exposure to cyber crime increases.” Fisher emphasised that a cyber security assessment is needed to ensure businesses have the right cover.  

“Businesses should recognise that there are substantial legal fees, fines, and costs associated with recovering compromised data, repairing systems, restoring PII, notifying customers of a breach, mitigating brand damage etc – not to mention the cost of lost profits and continuing expenses and any potential legal liabilities.”

“Coverage may extend to business downtime or necessary forensic investigation to unearth the cause and impact of an attack. Cyber insurance will help a business recover from a data breach or identity theft by mitigating aftermath costs. Not to investigate it is surely a risk too far.”

ACE welcomes the new law as a positive step for businesses in the country and region to continue to keep a competitive edge as they operate in a modern and digitally connected world.