Now accepting applications for Fast Company Middle East’s Most Innovative Companies. Click here to apply.

At a time when consumers are becoming more careful about sharing data, and data privacy laws are also gaining unprecedented momentum, a new report by Protiviti found that a mere 21% of the organizations in the GCC region have effectively established a data privacy program.

The report shows an increase in privacy program implementations in the region, with 56% of respondents highlighting regulatory requirements as the primary driver and the need to maintain consumer trust and contractual obligations as the other important drivers.

However, findings show a need for coherence in data privacy implementation initiatives. Only 27% of organizations have dedicated data privacy departments, while 40% assign data privacy as the primary responsibility of the information security department.  

The report urges organizations to have a clear plan for data privacy, with defined roles and responsibilities, and that they should allocate sufficient resources to these programs.

“A generic approach to privacy does not work. Organizations will need to consider their business context, current state, existing capabilities, and risk appetites while strategizing their data privacy program,” said Niraj Mathur, Managing Director of Security and Privacy Practice at Protiviti. 

“Any gaps during implementing can have lasting impact due to stringent legal penalties and reputational risk from loss of customer trust,” Mathur added.

Over 75% of respondents identified data visibility as the main challenge in maintaining effective privacy programs.

Additionally, 75% of respondents expect to invest heavily in their privacy programs’ governance, risk management, and compliance (GRC) requirements this year, anticipating that regulatory agencies will conduct regular audits and inspections to ensure that organizations comply with privacy regulations. However, 43% of organizations have not allocated a budget for privacy programs.

The report calls for organizations to “undertake a comprehensive data discovery exercise to identify and map out the collection, storage, processing, and transfer of personal data within their environment.”