DATA PRIVACY & PROTECTION

R&C: As companies carry out their data processing activities, including handling, storage and transfer, what regulatory, financial and reputational risks do they face? How are evolving regulations affecting their obligations?

Kellick: The position in Oman differs in a significant sense to the wider region as the consent of a data subject must be obtained prior to their personal data being processed, except in certain excluded circumstances. It is therefore important that organisations processing the personal data of Omani citizens ensure that they have in place procedures to secure consent, record the terms on which it was provided, and introduce a mechanism by which consent can be withdrawn or amended – and tracked internally – in line with the rights granted to data subjects under the regulations. Similarly, prior to transferring personal data outside of Oman, data controllers must obtain the explicit consent of the data subject, again except in certain limited circumstances. Organisations need to be able to demonstrate compliance with regulations or risk facing significant fines.

Ridgway: Companies face a complex risk landscape as they process data. Regulatory risks have intensified with the proliferation of comprehensive privacy laws that introduce stricter consent requirements, data minimisation mandates and enhanced individual rights. And data privacy regulators around the globe are sharpening their focus on enforcement. In the US, for example, eight state privacy regulators recently announced a ‘Consortium of Privacy Regulators’, a bipartisan coalition aimed at coordinating enforcement, signalling a new era of multistate cooperation in the enforcement of comprehensive consumer privacy laws. Financial risks include hefty fines – such as the €1.2bn General Data Protection Regulation (GDPR) fine against Meta – and the costs of remediation and litigation. Reputational risks are equally severe; a single breach or compliance failure can erode customer trust and damage brand value. This regulatory momentum requires companies to adopt a holistic, adaptive compliance strategy, integrating privacy by design, and regularly updating policies and practices to reflect new legal standards.

Jul-Sep 2025 Issue

Gibson, Dunn & Crutcher LLP

Nasser Al Shamli, Advocates & Legal Consultants in association with Kennedys

Kennedys

McCarthy Tétrault

Skadden, Arps, Slate, Meagher & Flom LLP

TLT