Data Privacy Protection Regulation (DPPR) - Kuwait
The Trust Challenge

Key Obligations & Consequences

  • The law applies to the personal data of a natural or legal person whose identity can be identified or is identified through identifiers like name, financial, health, identity, religious, or racial information.
  • It further includes information that can be used to identify a natural or legal person’s geolocation, genetic fingerprints, personal tracking systems, or a combination of other data that allows physical or online contact with the person who shall be referred to as the data owner.
  • The law applies to all public and private sector service providers who conduct the collection, storage, and usage of personal data processed either inside or outside Kuwait.

Under DPPR, service providers shall comply with the following data processing guidelines:

  • Provide clear and easily accessible information about their data processing practices.
  • Clarify the purpose of collection of user data being necessary to provide the service and how the collected data will be utilized before providing services to the user.
  • Provide all information and service conditions as well as request processes to change or delete data in easy and accessible terms in both English and Arabic language before providing services.
  • Processes data in a way that ensure that personal data is protected against unauthorized or illegal processing activities
  • Provide information on the duration of personal data storage as well as location
  • Inform the user if the service provider intends to process data for purposes other than those for which the personal data was collected.
  • The Communication and Information Technology Regulatory Authority (CITRA) is the primary authority to enforce penalties and fines in the event of a proven violation, as stipulated under Law 37 of 2014.
The Trust Challenge

Key Challenges in brief:

DPPR has a comprehensive, clear, and strict set of obligations regarding obtaining the consent of data owners. It is imperative for service providers to obtain the consent of the user (data owner to collect and process their personal data) before providing the service to the user. More importantly, the data owner must provide consent to all the conditions and obligations that apply to the collection and processing of personal data.

In the event of a breach, service providers are required to notify CITRA within a period not exceeding 72 hours when the incident is discovered.

Similar to the European Union’s General Data Protection Regulation (GDPR), Kuwait’s DPPR also requires service providers to maintain a record of processing activities for review by CITRA upon request.

DPPR requires service providers to notify data owners about their intention of transferring the personal data of the data owners outside Kuwait but following the measures recommended by CITRA.

Following are some data owner rights that Kuwaitiis can practice

Right to Access:- The data owner is entitled to exercise his right to access details regarding his personal data processed by the service provider.

Right to Rectification:- The data owner has the right to request the service provider to change or rectify the data or delete it.

Right to Erasure/Destroy/Anonymize:- The data owner has the right to request the service provider to delete the personal data upon the request for consent withdrawal or if the personal data isn’t required anymore to use services provided by the service provider.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability

  • The law applies to the personal data of a natural or legal person whose identity can be identified or is identified through identifiers like name, financial, health, identity, religious, or racial information.
  • It further includes information that can be used to identify a natural or legal person’s geolocation, genetic fingerprints, personal tracking systems, or a combination of other data that allows physical or online contact with the person who shall be referred to as the data owner.
  • The law applies to all public and private sector service providers who conduct the collection, storage, and usage of personal data processed either inside or outside Kuwait.
Pointer

Basis for processing personal data

Under DPPR, service providers shall comply with the following data processing guidelines

  • Provide clear and easily accessible information about their data processing practices
  • Clarify the purpose of collection of user data being necessary to provide the service and how the collected data will be utilized before providing services to the user.
  • Provide all information and service conditions as well as request processes to change or delete data in easy and accessible terms in both English and Arabic language before providing services.
  • Processes data in a way that ensure that personal data is protected against unauthorized or illegal processing activities.
  • Provide information on the duration of personal data storage as well as location
  • Inform the user if the service provider intends to process data for purposes other than those for which the personal data was collected.
  • The Communication and Information Technology Regulatory Authority (CITRA) is the primary authority to enforce penalties and fines in the event of a proven violation, as stipulated under Law 37 of 2014.
The Trust Challenge

Key Challenges in brief:

The following are the issues created by oman's PDPL laws that the majority of organizations face:

Pointer

Consent Requirements

DPPR has a comprehensive, clear, and strict set of obligations regarding obtaining the consent of data owners. It is imperative for service providers to obtain the consent of the user (data owner to collect and process their personal data) before providing the service to the user. More importantly, the data owner must provide consent to all the conditions and obligations that apply to the collection and processing of personal data.

Pointer

Security Data Breach Notification

In the event of a breach, service providers are required to notify CITRA within a period not exceeding 72 hours when the incident is discovered.

Pointer

Records of Processing Activity (RoPA)

Similar to the European Union’s General Data Protection Regulation (GDPR), Kuwait’s DPPR also requires service providers to maintain a record of processing activities for review by CITRA upon request.

Pointer

Cross-border Data Transfer Requirements

DPPR requires service providers to notify data owners about their intention of transferring the personal data of the data owners outside Kuwait but following the measures recommended by CITRA.

Pointer

Fulfillment of Data Subject Rights

Following are some data owner rights that Kuwaitiis can practice

  • Right to Access:- The data owner is entitled to exercise his right to access details regarding his personal data processed by the service provider.
  • Right to Rectification:- The data owner has the right to request the service provider to change or rectify the data or delete it.
  • Right to Erasure/Destroy/Anonymize:- The data owner has the right to request the service provider to delete the personal data upon the request for consent withdrawal or if the personal data isn’t required anymore to use services provided by the service provider.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party “Privacy Intelligence” (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

“Data Minimization”: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization legal requirements. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets for excess data using Machine Learning, removing unnecessary and irrelevant personal data. Removing this data reduces costs by eliminating operational inefficiencies and ensuring compliance with regulatory mandates.

Pointer

“Right to be Forgotten (RTBF)” with Assured Deletion: With TurtleShield RTBF, businesses can easily comply with the CTDPA 's right to deletion by giving them the ability to delete data on request with recorded validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: The assumption that data only exists in databases and nowhere else is often not reality, as customer data exists in many sources. Using Machine Learning and AI we predict where PII can exist, giving the ability to quickly fulfill data subject requests across the totality of large datasets, improving the speed and completeness of CTDPA request compliance.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us