With the increasing demand and rapid-paced developments in the technology industry, data privacy has become paramount. Many companies find enormous value in collecting, sharing and using data in their day-to-day business operations. In particular, businesses must ensure compliance with regulations when such data relates to personal data. In brief, data privacy is a branch of data security concerned with proper handling of data, including consent, notice and regulatory obligations.

Qatar was one of first countries in the Middle East to introduce a standalone data protection law: Law No. 13 of 2016 Concerning Personal Data Protection. In addition, the Qatar Financial Centre (QFC), as an independent regulatory jurisdiction, enacted its own Data Protection Regulations (DPR) in 2005. The QFC has recently issued its amended Data Protection Regulations and Data Privacy Rules (New DPR) on 21 December 2021, which will come into force on 19 June 2022.

The amendments aim to bring the existing DPR to the standards of the General Data Protection Regulations 2016/679 (GDPR), which will ultimately oblige businesses operating from the QFC to be more diligent in their data compliance practices. The New DPR also aims to ensure proper monitoring and regulation of QFC firms in the context of data protection. Some of the most significant amendments introduced by the New DPR include:

• The establishment of eight main principles in the context of processing personal data, which mirror those found in the GDPR.
• The expansion of the definition and conditions to be met to process personal data and obtain data subjects' consent.
• The establishment of a Data Protection Office and the appointment of a Data Protection Commissioner at the QFC. The Data Protection Office will be dedicated to QFC firms' compliance with the New DPR and will monitor such activities. The Commissioner, who will determine the procedures and overall management of the independent QFC institution, will have wide investigative powers if QFC firms fail to comply with the New DPR.
• The expansion of the rights of data subjects in relation to their personal data, including the right to access, right to rectify, right to erase, right to object, right to restrict, right to data portability and the right not to be subjected to a decision that is based on automated processing or profiling.
• The obligation of the data controller to carry out an impact assessment prior to the processing of personal data, if the type of processing is likely to result in a high risk to the rights and legitimate interests of data subjects.
• The imposition of significant financial penalties up to a maximum of US$1.5 million for QFC firms that fail to comply with the New DPR or an order of the Data Protection Office.

Aside from the significant financial consequences, there could be reputational damage to businesses that fail to comply with the New DPR. In light of this, QFC firms are encouraged to review the New DPR to ensure that all collection and processing of personal data complies with the New DPR from 19 June 2022. The Data Protection Office will also be providing training, guidance and tools on the New DPR, from which QFC firms can benefit.