Tried and tested

Dino Wilkinson of Baker McKenzie shares his perspective on the increasing use and importance of privacy certification schemes and how they are being adopted to emerging privacy regimes of the Middle East.

In many industry sectors, it is common for individuals or organisations to be certified as compliant with particular standards, guidelines or specifications. An approved third party will typically audit an organisation’s systems or products to certify that they meet the relevant criteria, which provides comfort to that organisation’s customers or clients.

Bodies such as the International Organization for Standardization (ISO) have issued compliance standards in areas ranging from currency codes to food safety. In the technology sector, ISO/IEC 27001 is a well-known standard for information security management systems, which establishes important controls for information security, cybersecurity and privacy protection.

However, ISO and similar standards are generally voluntary codes that organisations may choose to adopt or disregard. Some customers might insist on a contractual commitment to ISO/IEC 27001 compliance, but there are no specific sanctions for breach or non-compliance.

Data protection regulators, though, are increasingly recognising the value of certification schemes to establish that an organisation has adopted robust and adequate data privacy practices. Certification and accreditation requirements are being adopted into international data protection laws, including in the emerging privacy regimes of the Middle East.

Privacy certification

A company that adopts strong privacy practices not only ensures compliance with legal and regulatory requirements, but also establishes that it can be trusted with one of an individual’s most valuable assets: personal data.

In a field where trust and reputation is so important, most data protection regimes are based around a set of “data protection principles” to which organisations are expected to comply when processing personal data. Those principles typically establish obligations that are designed both to respect the rights of the individuals whose data is being processed (such as fairness and transparency) and to ensure appropriate governance and management of data (such as the need to implement appropriate technical and organisational measures to safeguard personal data).

The regulation of data protection arises from the combination of obligations on regulated entities (typically referred to as ‘controllers’ or ‘processors’), the rights afforded to individuals (i.e. ‘data subjects’), and the exercise of oversight and enforcement powers by the competent supervisory authority. Most such authorities – including the national and free zone regulators overseeing data protection regimes throughout the Middle East – publish a range of policies and guidance that support controllers and processors to understand their compliance obligations and inform data subjects as to their rights and remedies.

A host of other self-regulatory initiatives have developed in this space and certain practices have been incorporated into local or international standards. Many regulatory authorities have recognised the value of a standards-based approach by officially recognising certain certification schemes as a means to audit and assess the compliance of organisations with data protection principles. These privacy certification schemes are now essential frameworks that serve as a tool for building trust, demonstrating accountability, and enhancing transparency in data handling processes.

In an era where data breaches and privacy concerns are increasingly prevalent, the need for robust privacy certification schemes has never been more crucial.

Importance and rationale

Privacy certification schemes help organisations both to verify their compliance with regulations and to build trust with their customers and stakeholders by demonstrating a commitment to protecting personal data. In this context, a certified organisation signals to the public that it adheres to rigorous data protection standards.

Certification schemes also hold organisations accountable for their data protection practices. Governance and accountability are core principles of most data protection regimes and, by undergoing regular audits and assessments, certified organisations can show that they are continuously monitoring and improving their privacy measures. This also helps to ensure that they remain compliant with evolving regulations, demonstrating best practices to customers and business partners that can serve as a differentiator in a competitive market.

Finally, with the local and international landscape of data protection laws becoming increasingly complex, privacy certification schemes can provide a structured approach to achieving compliance. Certification schemes offer organisations a clear set of guidelines and standards to follow, simplifying the process of meeting legal requirements and reducing the likelihood of data breaches, legal penalties, and reputational damage.

International examples of privacy certification schemes

Various international data protection regimes reference certification schemes or mechanisms, including:

  • EU General Data Protection Regulation (GDPR): The GDPR, which came into effect for organisations operating in the European Union in May 2018, includes provisions for privacy certification schemes to enhance data protection compliance. Under Article 42, the regulation encourages the establishment of data protection certification mechanisms to demonstrate compliance with its requirements. Any such certification should be voluntary and does not limit the responsibility of the controller or processor for compliance with the GDPR. Approved certification mechanisms can subsequently form part of the appropriate safeguards that allow for transfers of personal data to certain jurisdictions that are not otherwise considered to offer an adequate level of protection.
  • California Consumer Privacy Act (CCPA): The CCPA, effective from January 2020, aims to enhance privacy rights and consumer protection for residents of California. While the CCPA does not mandate certification schemes, it does include an obligation on the responsible agency to establish a mechanism pursuant to which parties may voluntarily certify that they are in compliance with the law.
  • Asia-Pacific Economic Cooperation (APEC) Privacy Framework: The APEC Privacy Framework promotes a flexible approach to privacy protection among its member economies. The framework includes the APEC Cross-Border Privacy Rules (CBPR) system, a voluntary certification scheme that promotes accountable data flows across borders with a view to building consumer, business and regulator trust in such cross-border flows of personal information.

Certification schemes in Middle East privacy laws

While the data protection law landscape continues to evolve in the Middle East, several jurisdictions have recognised the potential use of certification schemes to validate compliance or ensure appropriate standards for data transfers. These include:

  • Saudi Arabia: The Personal Data Protection Law limits the transfer of personal data outside the Kingdom to jurisdictions identified as having an adequate level of protection or otherwise where the controller implements certain safeguards, including a certificate of accreditation. Some types of data transfer will, therefore, be authorised under the PDPL if the receiving entity has obtained a certificate of approval issued by a suitably licensed body. The Saudi Data & Artificial Intelligence Authority (SDAIA) has the ultimate power to issue accreditation certificates to controllers and processors. SDAIA recently consulted on draft rules for the issuance of such certificates and the licensing of audits for personal data processing activities, and introduced a separate accreditation certificate for artificial intelligence service providers in the Kingdom in January 2025.
  • United Arab Emirates: The published federal data protection law in the UAE does not currently include any reference to a certification scheme, although cross-border data transfers to countries without effective data protection legislation will be permitted subject to the implementation of appropriate measures and controls that will be further specified in the executive regulations to the law. This might include the use of certification or accreditation as a safeguard for transfers similar to the Saudi approach, although at this stage the regulations are yet to be finalised. At an Emirate level, Dubai announced in February 2025 that it was implementing a new accreditation to be known as the Dubai AI Seal, which aims to provide countries with certification that their AI products are reliable, secure and trustworthy.
  • Egypt: The concept of certification is included in the Personal Data Protection Law that was published in 2020. It is defined as a certificate issued by the competent authority indicating that the recipient has “satisfied all technical, legal, and organisational requirements… whereby it is qualified to provide consultancy services in the field of Personal Data Protection“. Details on which organisations need to be certified are expected to be confirmed in the executive regulations to the law once they are issued.
  • Bahrain: While there is no requirement for the certification of controllers or processors in Bahrain’s Personal Data Protection Law, the independent role of ‘data protection guardian’ is subject to accreditation by the local regulator.
  • Oman: Similar to Bahrain, the external auditor required to be appointed by controllers and processors in Oman must be accredited and licensed by the Ministry of Transport, Communications & IT under the executive regulations to the Personal Data Protection Law.
  • Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM): The UAE’s financial free zones both recognise certification schemes for the purpose of demonstrating compliance with their respective data protection laws and regulations. DIFC also launched an accreditation and certification framework for autonomous and semi-autonomous systems processing personal data in 2024 to support compliance with Regulation 10 under the DIFC Data Protection Law.

Conclusion

Privacy certification schemes play a vital role in the modern data protection landscape. They provide a structured approach to achieving compliance, build trust and confidence, and encourage the adoption of best practices. As data protection laws continue to evolve, the importance of these schemes will only grow, making them an indispensable tool for organisations in the Middle East and worldwide.

Text by:

 

 

 

 

 

Dino Wilkinson, partner and head of the technology, data & IP practice, Baker McKenzie, Middle East

Previous Editions