The need for Acceptable Use and Privacy Policies
EMME Advisory Services
Supporting business in emerging markets and the middle east
The adoption of Personal Data Protection laws (PDPL) in Saudi Arabia, the United Arab Emirates, Bahrain, Qatar, and Kuwait has introduced privacy policies to websites in the Gulf Cooperation Council (GCC) region.??The Privacy Policy is often located at the bottom footers next to the Terms of Use on many public and private websites in Saudi Arabia,[i]?the UAE,[ii]?Bahrain,[iii]??and other GCC countries.??Although the Privacy Policy is the only legally required policy, the publication of Terms of Use continues to be a best practice that started before the introduction of the Privacy Policy.??Terms of Use, also known as Terms & Conditions and Acceptable Use Policies, are used to protect website providers and their networks from liability and harm caused by user misconduct.??Privacy Policies are used to provide the legal notice required to collect a user’s personal data through the website.??This article explains the objectives, requirements, and need for both Acceptable Use and Privacy policies.
Acceptable Use Policies
Website providers invest time and resources to make content and services available to their visitors and subscribers (Users), who could expose the website to cybersecurity risks and its provider to legal liability.
Acceptable Use Policies (AUP) provide guidance and direction on how the website may be used and defines the consequences for non-compliance.??The AUP also establishes the legal agreement or contract the website provider can use to mitigate risk and enforce compliance against users that violate the AUP.??
Website Users
While the same privacy rights apply to all individuals, different Users can expose website providers to different types of risks and liabilities.??
For example, individual Users can access website content whenever and through whichever computer, smartphone, or device they choose.??Website providers, therefore, can limit their liability for individual use by defining acceptable use and removing offending content and Users.?
In contrast, companies often require employees and contractors to use corporate networks and IT assets to perform their work.??When combined with the agency principles of the employee and contractor relationship, their use can expose network providers to direct legal liability.??In addition, the use of personal devices to access corporate emails and connect to corporate networks has increased the number of cybersecurity threat paths into corporate networks.
AUP Objectives
The AUP objectives for individual Users include:
The AUP objectives for employee and contractor use should also include:
AUP Requirements
To reduce liability for the actions of individual Users, the AUP should describe prohibited content and conduct.??For example, within the region, illegal content can be anything that negatively impacts public order, religious values, public morals, and privacy.??Prohibited content can also include discriminatory and defamatory messages and messages that are likely to cause harassment, abuse, or harm.??Illegal conduct can include activities that may infringe on the intellectual and proprietary rights of others, interfere with network operations, or increase vulnerability to cyber-attacks.
To maintain network security, the AUP should describe and prohibit risky behaviors and the circumstance and methods for reporting suspicious activities, loss, or unauthorized access to devices that can be used to access corporate networks.
To protect reputation and goodwill, the AUP should require employees to clearly distinguish their online personal activities and opinions from the company's.??For example, the AUP should prohibit employees from using corporate emails or logos on personal social media accounts and public platforms.
To allow employees to use corporate networks and IT assets for personal activities, the AUP should describe the personal activities permitted and prohibit the use of corporate networks and assets for personal gain or profit.??In addition, where employees can connect personal devices to corporate networks and IT assets, the AUP should describe the security protocols and practices that apply to personal devices.
Personal Data Protection Policies
The Personal Data Protection Laws (PDPLs) of Saudi Arabia, the United Arab Emirates, Bahrain, Qatar, and Kuwait require all public and private entities that collect personal data, or Controllers, to notify individuals before collecting their personal data.??The Privacy Policy provides the legally required notice.
Personal Data Subjects
领英推荐
While website providers may use different AUPs to address the various risks posed by different users, all Controllers must provide the same Privacy Policy to all data subjects.??Data subjects, or personal data owners, includes all individuals, employees, contractors, and visitors whose personal data is collected and processed in the region.
PDPL Objectives
The objectives of the Privacy Policy are to let data subjects and personal data owners know:
PDPL Requirements
The Privacy Policy should identify the Controller and all Processors of personal data.??Controllers are the website owners or companies that determine what personal data will be collected, why it is collected, and how it will be used.??Processors include all affiliates, contractors, and legal authorities that may access or use personal data collected by the Controller.
The privacy policy should describe the types of personal data collected, including Sensitive Personal Data and Cookies.??Personal Data is any data that can be used to identify an individual.??Sensitive Personal Data refers to Personal Data that relates to defined characteristics such as ethnicity, beliefs, and affiliations, as well as criminal, biometric, credit, and health data.??Cookies refer to files stored on computers and devices that visit websites and are used to track movement throughout websites.?
Personal data processing includes collection, use, protection, and disposal.??Collection methods may include the automatic collection done by website cookies and the active submission of personal data when Users send questions, register for use, and complete online forms and applications.??
The Privacy Policy should describe how personal data will be used for purposes that are related to the Controller’s business and the policies, procedures, and agreements that will be used to protect personal data until its deletion or destruction.
Finally, the Privacy Policy should describe the data subject’s rights and how to exercise them.??In the GCC region, data subjects have the right to:?
Be Prepared
Because websites can collect vast amounts of personal data, the need for a website Privacy Policy is expanding throughout the GCC region.??For example, the Saudi[iv]?and Kuwaiti[v]?PDPL specifically require Controllers to establish a Privacy Policy, and the Kuwaiti PDPL requires that the policy be placed on the service provider's website.[vi]????Websites in the GCC region should start publishing a website Privacy Policy in addition to the Acceptable Use Policies.
For help reviewing, updating, and developing your Acceptable Use and Privacy Policy,?[email protected].
[i]?https://www.stc.com.sa/content/stc/sa/en/personal/home.html,?https://www.moi.gov.sa/wps/portal/Home/Home
[iv]?KSA PDPL, Article 12 – The Controlling entity must adopt a personal data privacy policy and make it available to the personal data owner to review it before collecting the data.
[v]??KUWAIT PDPL, Article 6 (22) – Each Communication and Information Technology Service Provider shall create and maintain a written privacy policy.
[vi]?KUTAIT PDPL, Article 6(22)(b) [the written privacy policy] is posted on the service providers website.