felukaa
عر
All notes
PRIVACY · COMPLIANCE2026-06-22·8 min read

Your customer data is now regulated, not just risky — what MENA’s new privacy laws mean for the systems you run

Privacy went from an edge case to the default: three-quarters of the planet is now covered by a modern data law, and the wave has landed in MENA on a fixed timeline. This is no longer a legal footnote — it is a set of requirements your systems either satisfy by design or fail by default. Built in, it costs once; bolted on after a complaint, it costs roughly three times as much.

By Felukaa
[ THE SHORT VERSION ]

For most of the last decade, "data privacy" was something a growing business in Egypt or the Gulf could file under "later." There was no local law with teeth, the regulator was theoretical, and the worst case felt like a reputational bruise. That era is over, and it did not end gradually. In 2020 only about 10 percent of the world’s population had its personal data covered by a modern privacy regulation; by the end of 2024 that figure had reached roughly 75 percent [1]. Privacy stopped being a Western edge case and became the default condition of doing business almost everywhere — including, finally and concretely, the markets Felukaa builds for.

The wave is not abstract anymore; it has dates. The UAE’s Personal Data Protection Law has been in force since the start of 2022 [4]. Saudi Arabia’s PDPL moved from a grace period into live enforcement in September 2024, and the regulator has already issued dozens of enforcement decisions with fines of up to five million riyals per violation [3]. And Egypt — which passed Law No. 151 of 2020 but left it dormant for years without executive regulations — issued those regulations in November 2025, starting a one-year clock that makes the law fully enforceable around October 2026 [2]. If you run a business that touches customer data in any of these markets, you are not waiting for a rule to arrive. You are inside a compliance countdown that has already started.

Here is the shift that matters for anyone who owns systems rather than reads statutes: privacy compliance is not a policy you write, it is a property your software has or does not have. Lawful consent, the right to be forgotten, knowing where every record physically lives, being able to export or delete one customer on request, notifying a breach inside a deadline — none of these can be bolted on with a cookie banner after the fact. They are decisions baked into how your CRM, your billing, and your customer database are built. This piece is the operator’s map of that shift: what the new MENA laws actually require of your systems, why "we’ll deal with it if someone complains" is the expensive path, and what it means to build privacy in rather than paint it on.

[ FIGURES ]
Figure 1 · From 10% to 75% — and the wave has dates on it now
SHARE OF THE WORLD COVERED BY A MODERN PRIVACY LAW 10% 2020 65% 2023 75% 2024 …AND NOW IT HAS REACHED YOUR MARKET UAE in force · Jan 2022 Saudi Arabia enforcement live · Sep 2024 Egypt full enforcement · Oct 2026
The share of the world’s population covered by a modern privacy law climbed from roughly 10 percent in 2020 to about 75 percent by the end of 2024 [1]. That global default has now landed on a fixed regional timeline: the UAE’s law in force since January 2022 [4], Saudi Arabia’s PDPL in live enforcement since September 2024 [3], and Egypt’s Law 151 reaching full enforcement around October 2026 after its executive regulations issued in November 2025 [2].
Figure 2 · Built in, it costs once; bolted on, it costs nearly three times as much
AVERAGE ANNUAL COST — COMPLIANCE vs NON-COMPLIANCE $5.5M Cost of compliance build it in · pay it once $14.8M Cost of non-compliance disruption · fines · settlements 2.71× higher
Ponemon Institute research across organisations subject to data-protection rules found the average annual cost of maintaining compliance was about 5.5 million dollars, while the average cost of non-compliance — counting business disruption, lost productivity, fines, and settlements — ran about 14.8 million, roughly 2.71 times higher [5]. The asymmetry is the whole argument for building privacy into the system instead of waiting for a complaint to force it.
[ EXPLANATION ]

Start with the scale of the change, because it reframes everything that follows. Privacy regulation was not creeping forward — it jumped. Gartner’s widely cited forecast put the share of the global population covered by a modern privacy law at around 10 percent in 2020 and roughly 75 percent by the end of 2024 [1]. That is not a trend you can wait out; it is the new baseline. For a business in Egypt, the Gulf, or selling into the United States, the question is no longer "will there be a law" but "which laws already apply to me, and does my software satisfy them today." The honest answer for most operators running on a patchwork of spreadsheets, a global SaaS tool, and a WhatsApp thread is: nobody actually knows, which under the new regime is itself the problem.

Now the specifics, because the MENA laws are not vague aspirations — they impose concrete requirements on systems. Egypt’s framework, fully operational once the November 2025 executive regulations run their one-year grace to around October 2026, requires explicit, informed, specific consent before personal data is collected or processed, demands that consent requests be presented in Arabic and kept separate from general terms, and backs it with administrative and criminal penalties — fines that run from EGP 200,000 up to EGP 5,000,000 depending on the violation [2]. Saudi Arabia’s PDPL is already live: in its first year of enforcement the regulator issued dozens of decisions and can levy fines up to SAR 5,000,000 per violation, doubled for repeat offenders, for things as ordinary as processing data without a lawful basis or sending marketing messages without consent [3]. These are not edge cases — "we texted our customer list a promotion" is exactly the kind of everyday act now on the enforcement menu.

The requirement that quietly reshapes architecture is data residency and cross-border transfer. The UAE’s law restricts moving personal data outside the country to destinations with an adequate level of protection, or otherwise only under approved contractual safeguards or explicit consent, and certain regulated sectors must keep data onshore entirely [4]. This is where a lot of "we just use a cloud tool" stacks quietly break the law: if your customer records live on a server in another region with no lawful transfer basis, the convenience of that SaaS default has become a compliance liability. Knowing where every record physically sits — and being able to choose — is no longer an infrastructure detail. It is a legal one, and it is a question you can only answer cleanly if someone designed the system to answer it.

This is the core point for anyone who builds or buys software: compliance is a property of the system, not a document you attach to it. The new laws assume capabilities that have to exist in the data layer. Can you produce, on request, everything you hold about one customer (a subject-access request)? Can you delete that person entirely without orphaning records across five disconnected tools (the right to erasure)? Can you prove when and how consent was captured, and withdraw it as easily as it was given? Can you detect a breach and notify within a statutory window? Each of these is trivial in a system designed for it and nearly impossible in one that was not. A cookie banner satisfies none of them. This is why the disconnected-stack problem and the privacy problem are the same problem wearing different clothes: you cannot honour "delete me" across tools that do not agree on who the customer is.

Finally, the economics, because the case for building it in is not only legal — it is financial and commercial. Ponemon’s research across regulated organisations found non-compliance costs averaging about 14.8 million dollars a year against roughly 5.5 million for maintaining compliance — about 2.71 times more — once you count disruption, lost productivity, fines, and settlements [5]. And the upside is not just avoided penalties: customers now treat data handling as a buying criterion. In Cisco’s 2024 consumer survey, 75 percent of respondents said they would not buy from a company they do not trust with their data, and roughly half of those aged 25 to 34 had already switched providers over data practices [6]. For a Felukaa-built system, this is the argument in a sentence: privacy designed into the data model is cheaper than the fine, faster than the retrofit, and is itself a reason customers stay. Bolted on after a complaint, it is the most expensive line item nobody budgeted for.

[ PERSPECTIVES ]
Camp A — Compliance is paperwork; write the policy and move on

The pragmatic-minimalist view: get a privacy policy drafted, add a consent checkbox and a cookie banner, keep the lawyer’s template on file, and get back to running the business. Regulators are stretched, enforcement is young, and most small firms will never be audited. For a genuinely tiny operation this buys real breathing room — but it mistakes the document for the capability. The policy promises rights (access, deletion, withdrawal) that the underlying systems cannot actually deliver, which means the first real request, or the first complaint, exposes the gap instantly.

Camp B — Compliance is a specialist’s job; outsource it to tools and consultants

The procurement view: privacy is a domain, so buy the domain. Bolt on a consent-management platform, a data-mapping SaaS, an external DPO-as-a-service, and let the specialists handle it. This is real progress over a template and right for complex, multi-jurisdiction operations — but layered onto a disconnected stack it often just adds another tool that does not talk to the others. A consent platform that cannot actually reach into your CRM and enforce a withdrawal is theatre. The tooling only works if the core systems can act on what it records.

Camp C — Compliance is an architecture decision; build it into the system

The systems view: privacy by design. The capabilities the law assumes — lawful consent captured at the source, one canonical customer record you can export or erase on command, known data residency, an audit trail, breach detection — are properties of how the software is built, so build them in from the data model up. More work at the start, but compliance stops being a separate workstream bolted onto the side and becomes a feature of the system that already runs the business. The request that breaks a patchwork is a single query here.

Where we land

A policy you cannot technically honour is a liability, not a shield, and a compliance tool wired to a stack that cannot act on it is theatre. The durable answer is architectural: design the data layer so that lawful consent, a single erasable customer record, known residency, and an audit trail are built in — then let policies and tools sit on top of a system that can actually do what they promise. The sequence is honest, though: a small firm should start with the policy and the obvious consent fixes, but every quarter you grow on a privacy-blind stack raises the cost of the eventual retrofit. The right time to build it in is before the request — or the complaint — forces you to.

[ OPEN QUESTIONS ]
  1. 01If one customer emailed today and asked for everything you hold about them — and then asked you to delete all of it — could your systems actually produce and erase it, across every tool, without someone hand-searching spreadsheets?
  2. 02Do you know, for each system you run, which country your customers’ personal data physically lives in — and whether moving it there had a lawful basis under the rules that now apply to your market?
  3. 03When you capture consent today, can you prove later when and how it was given, what it covered, and that withdrawing it is as easy as granting it — or is "consent" just a pre-ticked box nobody can reconstruct?
  4. 04Your business is inside a fixed compliance countdown — Saudi enforcement already live, Egypt full by late 2026 — so what is the honest cost of retrofitting privacy into your current stack versus building it into the next system you commission?
  5. 05As AI features start reading across your customer data, who is accountable when a model surfaces a record the customer asked to be forgotten — and was that even possible to enforce in the system the AI is reading from?
[ REFERENCES ]
  1. [1]Gartner — "Identifies Top Five Trends in Privacy Through 2024": by year-end 2024, modern privacy regulations would cover the personal data of roughly 75% of the world’s population, up from about 10% in 2020.
    Verify Archive
  2. [2]Kennedys — "Egypt’s Personal Data Protection Law: the compliance countdown has begun": Executive Regulations to Law No. 151 of 2020 issued November 2025 with a one-year grace period (full enforcement ~October 2026); explicit Arabic-language consent required; administrative and criminal fines from EGP 200,000 to EGP 5,000,000.
    Verify Archive
  3. [3]A&O Shearman — "Enforcement of the Saudi Personal Data Protection Law (PDPL)": grace period expired September 2024 and enforcement is now live; committees issued dozens of decisions in the first year, with fines up to SAR 5,000,000 per violation (doubled for repeat offenders) for unlawful processing, unlawful disclosure, and marketing without consent.
    Verify Archive
  4. [4]U.S. International Trade Administration — "United Arab Emirates Allows Cross Border Data Flows of Personal Data": UAE Federal Decree-Law No. 45 of 2021 (in force January 2022) restricts cross-border transfers to jurisdictions with an adequate level of protection or under approved safeguards/consent; data localization required for certain regulated sectors.
    Verify Archive
  5. [5]Globalscape / Ponemon Institute — "The True Cost of Compliance with Data Protection Regulations": average cost of non-compliance ~$14.8M per year versus ~$5.5M to maintain compliance — about 2.71x higher — across business disruption, lost productivity, fines, penalties, and settlements.
    Verify Archive
  6. [6]Cisco — 2024 Consumer Privacy Survey: 75% of respondents would not buy from a company they do not trust with their data; roughly half of consumers aged 25–34 have switched companies or providers over their data policies or data-sharing practices.
    Verify Archive
[ Can your systems honour "delete me"? ]

We build privacy into the data layer — lawful consent, one erasable customer record, known residency — not a banner bolted on after a complaint.

The MENA compliance countdown has already started, and a policy your software cannot technically honour is a liability, not a shield. Fifteen minutes to map where your customer data lives, what the new laws require of it, and what it takes to make your systems satisfy them by design.

Book a free 15-min consultation