Regulating the rapidly digitizing MENA and GCC regions: How enterprises can keep up

As we continue to innovate globally, enterprises are digitizing new and existing businesses while expanding rapidly into the Middle East and North Africa (MENA) and the Gulf Cooperation Council (GCC) regions. As such, investments are projected to scale exponentially. On the heels of a 25% increase in SaaS investment in the Middle East, both local-borne and international businesses looking to enter the regions are quickly realizing that these advances come with their own set of regulatory challenges. 

Small and medium-sized enterprises (SMEs) are one of the fastest-growing segments in the MENA and GCC regions. Within the GCC alone, these businesses are set to account for $920bn in spending by 2022. Thanks to the rise of digital platforms in the region like social media, new industries like gaming and retail that were previously not as sought after have become increasingly successful.

As a result, these countries are faced with rapid expansion and the concerning knowledge of the dangers of large-scale breaches. Although they don't currently have the in-depth data regulatory policies of other regions like the E.U., governmental and business leaders in countries like Saudi Arabia and the UAE have begun work on introducing new regulations to keep up with digital innovation. As societal values change, so do legislative frameworks. Now, one global issue, in particular has bubbled to the surface: data privacy. 

Frustratingly for businesses that value data privacy, key operational practices complicate compliance with data residency requirements, either governmental or internal-corporate policies. With goals to capitalize on development, policy-makers have been forced to consider: how can we best ensure data security and privacy in the region? 

The CLOUD Act approach

In the debate surrounding regulation in MENA and GCC, some have referred to the 2018 Clarifying Lawful Overseas Use of Data Act. The CLOUD Act enables the U.S. government to request information from companies hosting data in another country, granting it the ability to curtail foreign legal processes for accessing data. In practice, if your company's data is stored in the U.S. or within a non-U.S. data center owned by a U.S. business, the government has the authority to issue warrants demanding data access. 

Although it's been argued that the CLOUD Act addresses key underlying security vulnerabilities, it has equally stifled consumer and enterprise trust through over-regulation. The policy requires in-depth attention paid to the movement of information across borders and leaves data exposed to the unauthorized intervention of the U.S. government. In addition to the CLOUD Act, U.S. regulations like the Foreign Intelligence Surveillance Act (FISA) and National Security Letters (NSLs) mandate regulation across borders. 

There are many legitimate business reasons why a company would decide to avoid their data being accessed by the U.S. government. These include the sensitive nature of the data, such as personal customer or employee records, location data, health data, intellectual property, financial records, or a violation of the company's ethical principles.

Additionally, local regulatory framework dictating how and where company data be stored may be in contradiction to the American law. For instance, several countries in the MENA and GCC regions have data localization regulations that require specific types of data to be stored or processed regionally. For example, the UAE's "Federal Law No.2 of 2019 – How to use I.T. and Telecommunications in the Healthcare Sector" mandates all health data be processed and stored locally.Jordan Report

A balanced regional approach

With this in mind, the MENA and GCC regions have an opportunity to create a new regional policy that combines the successes of foreign policies to strike a careful balance that both protects data and encourages innovation.

As a rapidly expanding global IT-hub, the growing talent pool and accessibility to cloud computing technology has encouraged foreign businesses to capitalize on the current lack of regulation. With the goal of expanding the booming market, any policy change would affect both local and foreign business development. 

In Europe, the government has established a clear set of rules for business practices at a regional level, and companies are encouraged to update policies and ensure consumer safety to avoid hefty governmental fines. Uniquely, the regional scale of the policy avoids the complexities of siloed cybersecurity, building a path towards compliance.

However, MENA and GCC leaders should leverage their knowledge of inherent weaknesses in prior policies to create regulation that meets the specific needs of the growing marketplace's foreign interest. A policy like this could create a happy medium for enterprises, enabling them to protect themselves and their customers while leveraging SaaS solutions like Salesforce where by default, the data resides outside of the country, without the risk of over-rearchitecting. 

Benefits of cloud-based compliance solutions

One thing is clear, as the MENA and GCC regions open up for new business, we're going to continue to see an increased implementation of data regulation. Regardless of the kind of policy enacted in the region, compliance will continue to require investment parallel to business growth. As data compounds, enterprises should begin to consider the value of solutions that help them remain compliant with the fragmented global data regulatory landscape. 

Digital transformation is no longer just an I.T. issue, but an all-encompassing company needs. With new cloud-based offerings such as data residency-as-a-service, organizations can leverage their SaaS solutions while adhering to local regulations by storing and processing data within many different sovereign countries. With this in mind, businesses must remember that it is essential to work with a system that has local hosting partners to manage customer data in multiple jurisdictions. 

When comparing options, companies should consider a solution's scalability, certifications, and comprehension of local challenges to ensure compliance. It would also be worthwhile to verify that the platform they choose can integrate with existing and proven SaaS solutions to ensure data localization capabilities. 

By using these services, businesses can address important data privacy and residency concerns without investing their talent, time, software, and infrastructure into understanding the multitude of data requirements and compliance regulations. When combined with other cloud services, the right data residency solution can create a multi-cloud environment, enabling all the advantages of cloud technology that were previously out of reach.      

For enterprises expanding their business in the MENA and GCC regions, what data regulation trends do you foresee in the near future?

With Mawdoo3, Jamalon, and HyperPay raising a combined $33M in total funding in 2019, it was a record year by funding for the Jordanian startup ecosystem. Learn more about one of MENA's oldest ecosystems in our 2019 Jordan Venture Investment Report.