Taking too long? Close loading screen.

Bahrain’s personal data protection law (PDPL)

Bahrain issued Law 30 of 2018 – the personal data protection law (PDPL) – on 19 July 2018. The PDPL, which comes into effect on 1 August 2019, applies to almost every entity processing personal data. The PDPL will dramatically change the way businesses in Bahrain process personal data. Businesses are required to seek approval before collecting, processing or storing personal data. There are also new rules for how businesses manage data.

The PDPL, in a first for the region, also introduces criminal penalties, with prison terms of up to one year for serious offences.

Keypoint’s data privacy team has deep data privacy and protection experience, having been engaged on a number of projects related to data classification, end-to-end data process reviews and data life cycles. We have also been engaged by clients to implement various information security-related controls.

For more details on how the PDPL will impact your business – and how Keypoint can help assess and mitigate that impact – please download or contact:

Srikant Ranganathan

Senior Director

+973 1720 6827

+973 3626 6286


CBB drafts rules on cyber security

In a possible sign of things to come, the Central Bank of Bahrain has proposed changes to Volume 4 of its Rulebook (investment firms), revising the authorisation module, drafting a new module on digital financial advice and adding a chapter on cyber security risk measures, as well as adding to Volume 4’s glossary. The new cyber security chapter is a complete rewrite of the existing regulation and goes into detail on areas including accountability and responsibility, roles and responsibilities, and policies and procedures. Licensees providing internet services are required to test their systems twice a year – and to report the findings to the CBB within two months. These tests must be conducted by external, independent security professionals, such as ethical hackers. The proposed rules – which currently apply only to investment firms – are available on the CBB website in the ‘open consultations’ section.

For more details, please read here or contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Rayan Britto at rayan.britto@keypoint.com

SWIFT launches blockchain trial

SWIFT – a standard format for business identifier codes (BICs) used to identify banks and financial institutions globally – has announced a trial integration with R3’s Corda blockchain platform in the hopes of creating a transparent system that can be used to monitor payment flows and support application programming interfaces (APIs). Initially, the trial will be limited to R3’s trade ecosystem but – if successful – could be extended to support other distributed ledgers, non-distributed ledgers and e-commerce platforms. Companies using the R3 platform will authorise payments from their banks using global payments innovation (GPI) links. Payments will be settled and confirmations – once completed – reported back to trade platforms using those same links.

The growth of Blockchain-based solutions indicates that the technology is here to stay, becoming the basis for highly efficient, transparent systems.

For more details, read here or contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Rayan Britto at rayan.britto@keypoint.com.

TRA to enforce risk standards

In a move designed to strengthen protection for Bahrain’s critical telecommunications infrastructure, the Telecommunications Regulatory Authority (TRA) released Resolution 5 of 2017, 1918regulating risk management for critical telecommunications infrastructure, in May 2017. The resolution establishes a risk management process that is closely aligned with ISO 27001:2013, sets out expectations for business continuity (ISO 22301:2012), standardises licensees’ approach to assessing and protecting the security and availability of critical telecoms infrastructure and defines licensees’ responsibilities. Licensees which install, operate or manage critical telecoms infrastructure, as well as holders of particular licences, should expect to receive, if they haven’t already, a risk management determination (RMD). Based on the RMDs, licensees are expected to adhere to two specific timelines – a three-month deadline requiring an asset inventory and an 18-month deadline requiring licensees to develop, implement and maintain a business continuity plan; ISO27001 certification; a certification audit report; and a risk assessment.

The TRA also expects business to recertify every three years and reserves the right to ask for additional risk assessments, including penetration testing. Licensees that are found to be non-compliant will be deemed to be in material breach of the telecommunications law and could face penalties and sanctions.

Keypoint is working with a number of telcos on a range of ISO certification engagements and has a skilled, seasoned team with the required credentials. More details on resolution 5 can be found in our recently released flyer . Alternatively, please contact Srikant Ranganathan at srikant.ranganathan@keypoint.com or Darrshan Manukulasooriya at darrshan.m@keypoint.com.

Keypoint Senior director addresses BCICAI on Bahrain’s PDPL

Srikant Ranganathan addressed the Bahrain Chapter of the Institute of Chartered Accountants of India (BCICAI) on Bahrain’s upcoming personal data protection law (PDPL) on 26 February. Speaking to a packed audience at the BCICAI’s ‘High Tea’ event, Srikant explained that Bahrain had released Law 30 of 2018, the Personal Data Protection Law (PDPL) in July 2018, with the PDPL coming into force on 1 August 2019. The PDPL gives individuals and entities in Bahrain rights in relation to how their personal data can be collected, processed and stored. It imposes new obligations on how businesses manage data. Under the law, personal data must be processed ‘fairly’. Data owners must be notified when their personal data is collected and processed. Personal data must be stored securely. Data owners can exercise their rights directly with businesses.  The PDPL also requires entities to seek prior approval from the relevant data protection authority (DPA) when collecting, processing and storing personal data. In a striking contrast to the EU’s recently implemented GDPR, the PDPL includes severe penalties (including jail time) for non-compliance.

Keypoint was one of the first professional firms in the region to understand and highlight the challenges that personal data requirements – whether the EU’s GDPR or Bahrain’s PDPL – will have on Bahraini businesses. For more details on how our data privacy team can help you, or to request a gap assessment, contact Srikant Ranganathan at srikant.ranganathan@keypoint.com.