When it comes to luxury travel, service providers rely on
technology to store and act upon personal data to provide the
outstanding experience their customers expect. A challenge for the
industry in the Middle East lies in offering the high-level of
service guests are used to elsewhere in the world while complying
with laws that can prevent data crossing borders and require it to
be localised.
As Saudi Arabia works to build an economy based on technology and
knowledge as laid out in its Vision 2030, managed services such as
cloud computing, data centers and IoT will be central to these
efforts. Private cloud facilities will also be required for mega
projects with tourism and leisure elements such as Neom, Qiddiya,
the Red Sea Project and Amaala. Certainly for Neom there are
already plans to build three hyperscale data centers.
Whether exemptions will be made for these projects to help tourism
providers get around data laws remains to be seen. A precedent
exists in the UAE where free zones with specific data legislation
operate, such as the Dubai International Financial Centre.
Earlier this year Saudi Arabia's Ministry of Communications and
Information Technology launched a multi-billion dollar plan to
build a network of largescale data centers with an aim to become
the main data center hub for the Middle East, and localise content
and services. Despite concerns from digital rights groups, Google
will be joining the likes of Chinese firms Huawei and Alibaba in
building a selfcontained "Cloud-Region" in the Kingdom as
part of that network.
According to the Oxford Business Group, Saudi Arabia is also
pushing for user data to be kept and stored in the country to
increase security and ensure data ownership. However there are also
concerns about the ability to transfer customer data outside of the
country.
Data Localisation Challenges
In the Middle East, new data laws mean that travel and hospitality
service providers will have to adapt their processes when they
operate in certain countries.
This includes Saudi Arabia whose Personal Data Protection Law
regulates the collection, processing and use of data. While the law
is in line with wider international practices which protect the
privacy of individuals and personal data, like the European
Union's General Data Protection Regulation (GDPR), it differs
in one key way – restrictions on transferring data across
borders. The law provides for tight controls on cross-border data
transfer outside of the country. If exceptions are not made,
providers must consider local storage options to fulfill data
localisation requirements. Even so, the practical challenge for
global organisations of marrying incountry and centrally managed
customer data still needs to be overcome.
Both the Saudi Arabian and UAE data protection laws also have
extra-territorial reach, similar to GDPR. The UAE law applies to
any organisation established in the Emirates that processes
personal data of subjects inside or outside the UAE, as well as any
organisation established outside the country that processes data
inside it. As a well-known international tourism destination the
UAE's data laws are better understood than those of Saudi
Arabia. Providers should look to get advice as part of building and
scaling operations in the geography.
It could be worse. Anything in the Middle East pales in comparison
to China's Personal Information Protection Law which priorities
national security over individual rights. The law states that if
personal information being handled by a data handler reaches a
certain threshold, a data localisation requirement may be
triggered. Companies in possession of a large volume of personal
data must also complete a mandatory security review led by the
Cyberspace Administration of China before transmitting it
overseas.
Preparation is Key
There is optimism that service providers who don't process
government data in Saudi Arabia will be immune to data localisation
requirements. However, this is a grey area.
Those looking to establish themselves in Vision 2030 projects will
be processing government data as many of the major developments
operate under the government's oversight – already brands
under Marriott, InterContinental and Hyatt banners are setting up
hotels at the Red Sea Project while American theme park Six Flags
is establishing a park at Qiddiya. As there may be a need to
localise their data, these brands should be prepared to navigate
the complex requirements.
In fact, all international tourism and leisure providers with
significant amounts of global customer data should consider how
they set up in the Middle East. They are used to existing in a
world where data passes relatively freely between borders, so each
one will have to adapt their standards and ask questions. What
suppliers should process their data? What deployment and storage
approaches are compliant? What systems and processes need
customisation to comply? Even the common scenario of a central
reservations system synchronising with an inmarket property
management system at a hotel raises basic questions that need to be
addressed, especially if more sensitive personal data crosses
borders.
As the use cases extend to address differentiated customer
experiences, the question of speed bubbles up to the top of the
list. Large amounts of data associated with a customer must be
matched and activated, in many cases in real time, to deliver a
unique experience for the traveler. If different data sets are
stored in different locations in order to comply with data storage
and transfer regulations, how does a supplier deliver real-time
customised experiences?
Weighing Up the Options
To avoid problems, providers looking to operate in the Kingdom
should seek advice to plan out their technology architecture. In a
situation where things are not black and white, how does an
organisation interpret and decide what level of compliance is
sufficient? And to what extend is a modest amount of risk
appropriate to sufficiently allow for incremental increases to
capabilities as data protection regulations evolve? Getting expert
advice will help providers answer these questions while they
establish a brand presence and assess their options.
While there are difficult obstacles to navigate, there is reason to
be positive. If Middle Eastern nations want to diversify their
economies away from oil to become leading tourism destinations then
they will need to find a compromise. So, despite Saudi Arabia's
Public Investment Fund recently denying reports that Neom will be
treated as a "country within a country" with special
privileges and regulations, nothing is 100% and how the government
treats data may change to become more consistent with international
standards.
This article was originally published in the January edition of Computer News Middle East.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
