The future of digital trust: navigating Egypt’s new data landscape
Defining the pillars: privacy vs. protection
To navigate this new era, we must first distinguish between data privacy and data protection. Data privacy is fundamentally about choices, fairness, and transparency. It defines the "what" and "why" of information collection such as names, phone numbers, or browsing habits and dictates who that data is shared with. It empowers individuals with the right to see or control their digital footprint. For example, when a user signs up for a delivery app, privacy ensures the app clearly explains that it collects their address solely for delivery purposes and allows the user to delete that data later.
Data protection, conversely, is the "how" of the operation. It focuses on the safety and security measures that organizations implement to keep personal data safe from leaks, loss, or unauthorized access. This involves technical and organizational safeguards such as strong encryption, multi-factor authentication, and regular backups.
In practical terms, this distinction becomes clearer when we look at how organizations handle data in their day-to-day operations. Personal data under the Personal Data Protection Law (PDPL) is broad and extends beyond basic identifiers to include any information that can be linked to an individual, including digital identifiers and data collected through systems such as websites, applications, or monitoring tools like CCTV. Certain categories, such as health, biometric, financial, religious, or children's data, are classified as sensitive and are subject to stricter safeguards.
For organizations, this means that everyday activities from customer onboarding and HR management to website analytics and security monitoring may involve the processing of personal data. Under the PDPL, processing is interpreted broadly and includes actions such as collecting, storing, using, sharing, or deleting data. These activities are only permitted where specific legal conditions are met, such as obtaining valid consent or fulfilling a contractual obligation.
The strategic importance of compliance
This responsibility is not confined to the IT department; it is a shared duty across the entire organization. Leaders must set the tone for data ethics, marketing teams must ensure transparency in customer outreach, and HR departments must safeguard sensitive employee records. Every employee who handles an email or a document is a guardian of the company's data integrity.
Navigating law 151 and the 2026 deadline
The scope of these regulations is remarkably broad, extending to any organization that transfers data outside Egypt, operates CCTV and other monitoring systems, or provides data-driven, technology, or outsourced services involving personal data. Importantly, foreign companies are also likely to be subject to these rules where their operations involve data flows into or out of Egypt, even if they do not maintain a physical presence in the country. This means any business with customers, users, or operational touchpoints in Egypt must assess whether and how these requirements apply to their activities.
In practice, this reach is not limited to large technology companies or multinational groups. It extends to telecom providers, retailers, e-commerce platforms, employers, healthcare providers, outsourcing vendors, and smaller businesses that keep customer contact details, payment records, delivery addresses, CCTV footage, or marketing lists as part of their operations. The key question is not the size of the business, but whether it processes personal data in the course of carrying out commercial or organizational activities.
9 operational steps organizations should address before full enforcement
1- The licensing and permit regime: organizations must obtain general licenses (valid for 3 years) for processing data. Specific supplementary permits are required for high-risk activities like cross-border transfers and public surveillance.
2- Core processing standards: companies must establish clear retention periods and maintain a secure electronic register of data activities. PDPC inspectors hold judicial authority to audit these systems at any time.
3- Detailed ROPA requirements: maintaining a Record of Processing Activities (ROPA) is now a technical mandate. It must link all data to specific purposes, hosting environments, and internal risk assessments (DPIAs: Data Protection Impact Assessments).
4- Privacy notices and consent: all privacy communications must be concise, visible, and provided in Arabic. Consent must be explicit and granular, and it is invalid if access to a service is made conditional upon it.
5- Electronic direct marketing: marketing requires prior explicit consent and a specific license. Every message must clearly identify the sender and include a functional, free opt-out mechanism.
6- Cross-Border data transfers: moving data outside Egypt is regulator-led. Organizations must obtain a license for transfers (including cloud storage) and prove the destination.
7- DPO requirements and registration: legal entities must appoint a Data Protection Officer (DPO) registered with the PDPC. DPOs must meet qualification standards and hold a unique PDPC accountability code.
8- Breach notification: organizations must notify the PDPC of data breach within 72 hours. Once the initial report is filed a further three business days are allowed to notify the individual impacted.
9- Sensitive and children’s data: heightened protections apply to sensitive info and children’s data. Explicit written consent is required for the former, and parental consent is mandatory for anyone under 15.
The banking exception
A key distinction in the Egyptian regulatory framework concerns the financial sector. Under Article 3 of Law No. 151 of 2020, the PDPL does not apply to personal data held by the Central Bank of Egypt and entities subject to its oversight and supervision, except money transfer companies and currency exchange companies, for which the relevant Central Bank rules on personal data handling apply. Accordingly, references to PDPL obligations should not be presented as applying in the same way to banks and other CBE-supervised entities. Their data governance obligations should instead be understood through the banking regulatory framework and applicable Central Bank requirements.
Operational compliance: the road ahead
Executive Regulations have transformed broad privacy principles into operational requirements that affect how businesses collect, process, store, and transfer personal data. Compliance is no longer limited to internal policies; it requires documented processes, licensing approvals for certain activities, and clear accountability structures across the organization.
For companies operating in Egypt or handling the personal data of Egyptian residents, preparation during the current grace period is critical. Organizations that proactively establish governance frameworks, maintain accurate records of processing activities, and implement transparent data practices will not only reduce regulatory risk but also strengthen customer trust in an increasingly data-driven economy.
Our experts