Qatar’s Advisory (Shura) Council unanimously approved the draft of a landmark new data privacy law, requiring companies to increase their level of data security and protection against cyber threats. The law was originally drafted in 2011, but has recently gained importance in the wake of the alleged cyber attack on Qatar National Bank. During the attack, hackers gained access to the bank’s customer records and leaked them online in a massive 1.4 GB file. The file contained sensitive information on more than 1,200 individuals, including Al Jazeera journalists and members of Qatar’s ruling Al Thani family.
Creating a regulatory framework for cyber security has become an urgent priority to prevent similar attacks from occurring in the future. In the near future, these laws will place the burden and responsibility of protecting sensitive information on the leadership of every organisation in the country. Organisations that fail to comply with the new laws will face heavy fines of up to 1.37 million USD.
Qatar is not the first country in the GCC to implement such laws. Oman, for example, has been one of the most proactive countries in the GCC in terms of adopting legislation to help promote cyber security and protect the country’s virtual borders. Under the new law, companies are obliged to protect sensitive information from being leaked or hacked. Failure to do so could result in hefty fines (5 million QAR).
According to the Qatari Ministry for Transport and Communication, the new law seeks to create “established standards of data protection as determined by the state”. The third chapter of the law outlines basic data protection responsibilities will become mandatory for all organisations in the country. These responsibilities include properly training data handlers to detect and to mitigate cyber security threats, by using “the necessary precautions to prevent personal data against loss, damage or disclosure”.
Organisations will be required to ensure that their networks and systems are adequately protected. They will be expected to rely on effective, up-to-date cyber security measures, and test these measures on a regular basis. In Qatar CEOs may need to urgently look into authorising budgets for cyber security – to pay for technology rather than to pay fines.
