Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The DPPR sanctions regulatory obligations on Communications and Information Technology Service Providers and entities that collect and process the personal data of a natural person through various means, such as websites, applications, etc.
Let’s look at the most important obligations provided under Kuwait’s DPPR.
The law applies to the personal data of a natural or legal person whose identity can be identified or is identified through identifiers like name, financial, health, identity, religious, or racial information. It further includes information that can be used to identify a natural or legal person’s geolocation, genetic fingerprints, personal tracking systems, or a combination of other data that allows physical or online contact with the person who shall be referred to as the data owner.
As far as Kuwait’s Data Privacy Protection Regulation (DPPR) territorial scope is concerned, the law applies to all public and private sector service providers who conduct the collection, storage, and usage of personal data processed either inside or outside Kuwait. The processing of personal data can either be automated or, through any other means, part of a data storage system.
However, the provisions of this regulation do not apply to the following entities:
Similar to other laws, DPPR has defined a particular set of obligations for service providers and personal data owners. Let’s take a closer look at some of the important DPPR obligations.
Under DPPR, service providers shall comply with the following data processing guidelines:
Moreover, the data processing would only be legitimate if one or more following conditions are true:
Also, DPPR states that a service provider would not be held responsible for any civil, administrative, or criminal liability if any violation of the intellectual property rights of a third party occurs through the upload, process, or storage of any information. However, this would not apply if the service provider becomes aware of it and takes no appropriate action. Such service providers should notify CITRA or any other competent entity without delay of any violation under the Electronic Crimes Law and other laws of Kuwait. They can also refer complaints against violating content from third parties to relevant state authorities. Also, if such a violation occurs, the service provider can remove or restrict access to any violating content.
DPPR has a comprehensive, clear, and strict set of obligations regarding obtaining the consent of data owners. It is imperative for service providers to obtain the consent of the user (data owner to collect and process their personal data) before providing the service to the user. More importantly, the data owner must provide consent to all the conditions and obligations that apply to the collection and processing of personal data.
Concerning the collection and processing of the personal data of minors (less than 18 years), service providers must obtain the explicit consent of the minor’s guardian. The law further obligates service providers to make “acceptable efforts” and use “available technologies” to verify the age of the minor and requires CITRA to have a mechanism in place to obtain the consent of their guardian.
DPPR further enables data owners to withdraw their consent at any given time. However, such withdrawal won’t affect the legality of the processing of the personal data before the consent is withdrawn. The data service provider should also facilitate the withdrawal of consent at the start of the process. Also, the DPPR enables the data owners to request service providers to erase all their processed data from their systems and logs upon consent withdrawal request.
Service providers must also obtain the consent of the data owner before disclosing their data to any third parties for any marketing purposes unrelated to the services requested by the user.
Like most other data privacy and protection regulations around the globe, Kuwait’s Data Privacy Protection Regulation also obligates service providers to establish and provide accessible privacy policies and privacy notices on their websites, sign-up forms, or at any point of sale.
In the event of a breach, service providers are required to notify CITRA within a period not exceeding 72 hours when the incident is discovered. The notification should include:
DPPR requires service providers to notify data owners as well if the breach is associated with the personal data of a data owner. However, service providers may not need to notify data owners of the breach if they have taken appropriate technical and regulatory measures against the breach.
Kuwait’s DPPR requires service providers to implement and ensure appropriate security measures against the loss of personal data, its disclosure, breach, or any unauthorized access by any third party. The measures taken to protect personal data may be appropriate to the sensitivity of the personal information, taking into account the potential risks and impact relating to rights and freedoms of legal persons such that:
DPPR further obligates service providers to protect data against unauthorized disclosure, accidental loss, and illegal destruction and to comply with the guidelines or directives provided by the CITRA about risk management and disaster recovery.
Similar to the European Union’s General Data Protection Regulation (GDPR), Kuwait’s DPPR also requires service providers to maintain a record of processing activities for review by CITRA upon request. The records should contain the following details:
Moreover, the service providers should make records available for viewing by CITRA upon request and train their processing staff in line with data protection policies.
DPPR requires service providers to notify data owners about their intention of transferring the personal data of the data owners outside Kuwait but following the measures recommended by CITRA.
A legal person who wishes to contract with any service provider has to classify his data for information security purposes by adhering to the data classification policy adopted by CITRA or any set of international best practices.
Data protection regulations are established not only to secure data against cyber breaches, internal abuse, or any other security threats. Another purpose of these regulations is to empower users by giving them clear and exclusive rights to control the transparency of their personal data. The service provider should also determine a mechanism for the users to file a request for obtaining, correcting, deleting, restricting, or filing a request to transfer personal data. Following are some data owner rights that Kuwaitiis can practice:
The data owner is entitled to exercise his right to access details regarding his personal data processed by the service provider.
The data owner has the right to request the service provider to change or rectify the data or delete it.
The data owner has the right to request the service provider to delete the personal data upon the request for consent withdrawal or if the personal data isn’t required anymore to use services provided by the service provider.
The Communication and Information Technology Regulatory Authority (CITRA) is the primary authority to enforce penalties and fines in the event of a proven violation, as stipulated under Law 37 of 2014.
Kuwait’s Data Privacy Protection Regulation (DPPR) is not as comprehensive as the EU’s GDPR, PIPL, or LGPD. However, it is clear and succinct enough to deliver personal data transparency to data owners. That being said, organizations must develop a sound strategy to operationalize DPPR in accordance with their business. Here are a couple of starts you can take to get started:
The worldwide customs of accessing, protecting, and sharing data are evolving at the speed of light, necessitating businesses to become more privacy-conscious of their data handling processes and adopt automation to safeguard customers' data, operationalize compliance and avoid falling behind in the migration process.
Standalone tools aren’t enough to combat digital threats and enable companies to comply with evolving global data privacy regulations as they offer elementary data-driven functionalities. With the power of Artificial Intelligence and Machine Learning, organizations can enhance their performance capabilities.
Securiti’s PrivacyOps platform is a cutting-edge revolutionary tool that is simple, intelligent, and an end-to-end automation solution for businesses. Securiti can assist you in remaining compliant with Kuwait's DPPR as well as other privacy and security standards around the world. Request a demo right now.