Data Privacy Protection Regulation (DPPR)

Learn Privacy

Know Your Privacy Obligations

Want to check which privacy laws apply to you

Take Privacy Quiz

Check out our quick privacy quiz

Why (DBoM) Data Bill of Materials

The Data Bill of Materials (DBoM) records the ownership, sharing history, storage and collection purpose of a unit of data.

Blogs

Get latest information on data security,
data protection, and data privacy.

Events

Meet us in person or virtually in
upcoming events!

Podcasts/Webinar

Be the first to catch our latest Webinars,
happenings and more.

Follow Us

Products

Privacy Automation

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks.

Data Inventory

TurtleShield DI (Data Inventory) automates data asset inventory and performs realistic data mapping.

Privacy Intelligence

TurtleShield PI (Privacy Intelligence) applies the unique oil drilling-like approach to data discovery across the entire data footprint and not just a subset of data.

Consent Management

TurtleShield CM (Consent management) automates user privacy notices, manages consent/opt-out preferences and ensures compliance by internal and third-party data sharers, safeguarding user privacy seamlessly.

Data Subject Access Request (DSAR)

TurtleShield DSAR automates the management of Data Subject Rights, ensuring efficient compliance with privacy regulations.

Data Breach Management (DBM)

TurtleShield DBM module helps organizations quickly verify, assess, contain and manage data breaches, including notifying affected individuals and regulatory bodies as required by law.

Data Minimization

TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data.

Assured Deletion

With TurtleShield AD (Assured Deletion) businesses are empowered to comply with mandatory deletion of personal data.

Responsible AI

TurtleShield RA (Responsible AI) enables organizations to assess AI risk for internal applications and Third Party softwares utilizing AI.

Training and Awareness

TurtleShield TA (Training and Awareness) provides modern & engaging awareness solutions focused on effective privacy implementations that reach the last mile in your organization.

Solutions
Build Consumer Trust

Responsibility to protect customer data, opportunity to build brand value

Robust Enterprise Security

Implement a data-centric security approach which is aligned to your business-critical data.
Use Cases

Fintech/BFSI

E-Commerce

Insurance

Banking

Data Protection (UK)

Heathcare Use Case

Edutech Use Case

TMT Use Case
Privacy Profit Center

Transform privacy from cost center to profit center

Data Minimization

Minimize data, and reduce business risk with data minimization
Case Study

HDFC Case Study
Acronym

Data Security Posture Management (DSPM)

Data Centric Security (DCS)

Data Discovery (DD)

Data Protection Impact Assessment(DPIA)

AI Governance (AIG)

Universal Consent Management (UCM)

Industry

Fintech/BFSI

Privacy and meaningful data centric security for your Fintech/BFSI

Healthcare

Importance of data privacy in healthcare organizations

E-commerce

Safeguarding data privacy in E-commerce Industry

Insurance

Navigating data privacy regulations in the Insurance Industry

Edutech

Data protection in EduTech Industry is the need of the hour

Technology, Media &
Telecommunications (TMT)

The importance of data privacy in the TMT Industry

Automobile Industry

Navigating data privacy regulations in the Automobile Industry

Public Sector Industry

Navigating data privacy regulations in the Public Sector Industry

Compliance
Privacy

Data privacy compliance

India (DPDPA)

USA - United States (UCPA)

Europe (GDPR)

Europe (DORA)

Egypt (PDPL)

American (APRA)

Australia - Privacy Act

Bahrain - (PDPL)

Brazil - (LGPD)

Angola - (PDPL)

Ukraine - (PDP)

California - (CCPA)

China - (PIPL)

Colorado - (CPA)

Connecticut - (CTDPA)

Ghana - (DPA)

Irish - (DPA)

Kenya - (DPA)

UK - (DPA)

Russia Fedral Law

Nigeria - (DPA)

Honkong - (PDPO)

Indonesia - (PDP)

Japan - (APPI)

Jordan - (PDPL)

Kuwait - (DPPR)

Malaysia - (PDPA)

Maryland - (MODPA)

Oman - (PDPL)

Philippines - (DPA)

New Zealand Privacy Act

Qatar - (PDPPL)

Saudi Arabia - (PDPL)

Singapore - (PDPA)

South Africa - (POPIA)

South Korea - (PIPA)

Srilanka - (PDPA)

Thailand - (PDPA)

Uganda - (DPPA)

Virginia - (CDPA)
Security

Data security compliance

Cyber Security - IRDAI

Reserve Bank - RBI
Sectoral

Sectoral compliance

COPPA

FERPA

HIPAA

Telecom TRAI
Company

About us

Ardent is on a mission to help enterprises implement meaningful security and privacy programs aligned to their business mission; building trust, and protecting data assets.

Pricing

Get pricing aligned to your business needs. Stay data protected with best plans tailored to your needs.

Contact us

Contact us to know more about how Ardent can help you implement a robust privacy program.

Become A Partner

Join Our Partner Program.

Career

Join our tech revolution, unleash your genius.

Data Privacy Protection Regulation (DPPR) - Kuwait

Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The DPPR sanctions regulatory obligations on Communications and Information Technology Service Providers and entities that collect and process the personal data of a natural person through various means, such as websites, applications, etc.

Key Obligations & Consequences

Applicability

The law applies to the personal data of a natural or legal person whose identity can be identified or is identified through identifiers like name, financial, health, identity, religious, or racial information.
It further includes information that can be used to identify a natural or legal person’s geolocation, genetic fingerprints, personal tracking systems, or a combination of other data that allows physical or online contact with the person who shall be referred to as the data owner.
The law applies to all public and private sector service providers who conduct the collection, storage, and usage of personal data processed either inside or outside Kuwait.

Basis for processing personal data

Under DPPR, service providers shall comply with the following data processing guidelines:

Provide clear and easily accessible information about their data processing practices.
Clarify the purpose of collection of user data being necessary to provide the service and how the collected data will be utilized before providing services to the user.
Provide all information and service conditions as well as request processes to change or delete data in easy and accessible terms in both English and Arabic language before providing services.
Processes data in a way that ensure that personal data is protected against unauthorized or illegal processing activities
Provide information on the duration of personal data storage as well as location
Inform the user if the service provider intends to process data for purposes other than those for which the personal data was collected.
The Communication and Information Technology Regulatory Authority (CITRA) is the primary authority to enforce penalties and fines in the event of a proven violation, as stipulated under Law 37 of 2014.

Key Challenges in brief:

Consent Requirements

DPPR has a comprehensive, clear, and strict set of obligations regarding obtaining the consent of data owners. It is imperative for service providers to obtain the consent of the user (data owner to collect and process their personal data) before providing the service to the user. More importantly, the data owner must provide consent to all the conditions and obligations that apply to the collection and processing of personal data.

Security Data Breach Notification

In the event of a breach, service providers are required to notify CITRA within a period not exceeding 72 hours when the incident is discovered.

Records of Processing Activity (RoPA)

Similar to the European Union’s General Data Protection Regulation (GDPR), Kuwait’s DPPR also requires service providers to maintain a record of processing activities for review by CITRA upon request.

Cross-border Data Transfer Requirements:

DPPR requires service providers to notify data owners about their intention of transferring the personal data of the data owners outside Kuwait but following the measures recommended by CITRA.

Fulfillment of Data Subject Rights

Following are some data owner rights that Kuwaitiis can practice

Right to Access:- The data owner is entitled to exercise his right to access details regarding his personal data processed by the service provider.

Right to Rectification:- The data owner has the right to request the service provider to change or rectify the data or delete it.

Right to Erasure/Destroy/Anonymize:- The data owner has the right to request the service provider to delete the personal data upon the request for consent withdrawal or if the personal data isn’t required anymore to use services provided by the service provider.

Kuwait's Data Privacy Protection Regulation (DPPR) Execution plan with TurtleShield: Six Steps towards your Compliance Journey

Solutions

Data discovery, inventory and mapping

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing)

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.