Businesses operating in Oman will be subject to stiffer requirements over the way they process personal data from 9 February 2023.
The new Personal Data Protection Law (PDPL) in Oman reflects international data protection best practice and replaces existing data protection obligations in the Omani Electronic Transactions Law.
Much of the detail on what businesses will need to do to comply with the new legislation is expected to be set out in executive regulations that have not yet been published. However, there are things businesses can do now to prepare for the PDPL to take effect.
Map your data
Businesses need to understand what data they hold. This is important under the PDPL as the type of personal data will determine the legal requirements for processing it.
For example, businesses will need a permit from the Ministry of Transport, Communications and Information Technology (the Ministry) to process certain personal data, namely genetic data, biological data, health data, or data about a person’s ethnic origins, sexual life, political or religious opinions or beliefs, criminal convictions, or security measures.
In addition, processing the personal data of a child will require the approval of the child’s guardian, unless such processing is in the best interests of the child.
The data mapping exercise should flow into a record of data processing activities to enable Omani companies to effectively document their data processing activities, as required under the PDPL. This exercise should also identify any personal data processing activities that are excluded under the PDPL.
Get the right consents in place
Once businesses understand what data they hold, they need to make sure that they are meeting the legal requirements for processing it.
Under the PDPL, Omani companies cannot process personal data without the data subject’s explicit consent. The request for that consent must be in writing and be clear and understandable. Obtaining consent is also required before sending out any advertising or marketing materials or before publishing their personal data.
Omani data controllers will also need to be able to clearly demonstrate that the data subject has given their written consent.
Start to build your compliance framework
The PDPL requires Omani data controllers to have effective controls and procedures in place to effectively determine processing risks, to manage personal data transfers and to implement the technical and procedural measures necessary to ensure compliance with the PDPL.
Tell people what you are doing
The PDPL mandates the processing of personal data within a framework of transparency. In practice this means telling people how you are processing their personal data in the form of clear and simple notices.
These notices need to include the information prescribed by the PDPL, which include details of the controller and any processors, the purpose(s) for processing personal data and an accurate description of that processing. These details need to be provided to the data subject prior to any processing taking place.
Get prepared to manage data subject requests
Under the PDPL, data subjects will enjoy various rights. These include rights to revoke consent to the processing of their personal data, without prejudice to processing taking place prior to the revocation; to get their personal data amended, updated or blocked; to get a copy of their personal data; and to get their personal data erased.
The PDPL requires businesses to notify data subjects of these rights within their data protection notices.
Whilst the executive regulations will provide more details on the scope of, and the mechanism for exercising, these requests, it is important to start getting processes and procedures in place to manage them.
Have a complaints management procedure in place
A data subject can complain to the Ministry if they consider that the processing of their personal data does not comply with the PDPL. The executive regulations will set out the procedure for this. However, having established processes in place will be important for effectively managing any such complaints.
Be ready to disclose data processing activities to the Ministry
The PDPL places broad obligations on Omani companies to cooperate with the Ministry, to appoint external auditors, and to provide any information and documentation relating to its PDPL compliance, as requested by the Ministry. Omani companies need to be able to effectively respond to Ministry requests within the required time period, which will be defined in the executive regulations.
Respond effectively to a data breach
Under the PDPL, businesses will be obliged to notify both the Ministry and data subjects “when a hacking of personal data occurs leading to its destruction, alteration, disclosure, access or illegal
processing”.
The executive regulations will provide more details of how these notifications need to be managed but Omani companies should start planning now how they would deal with such data breaches.
Identify a data protection officer
The PDPL requires Omani data controllers to identify a personal data protection officer (DPO) and notify data subjects of the DPO’s details. The executive regulations will set out the requirements for the DPO. These can be expected to follow international data protection best practice.
Confirm any international data transfers
The PDPL allows for international transfers of personal data out of Oman, except where any transfers would violate the PDPL or cause the data subject harm. The executive regulations will set out the specifics of how these data transfers can take place, but Omani companies should expect that there will be controls and procedures similar to other data protection laws globally.
Co-written by Alexandra Bertz of Pinsent Masons.
