What Is Egypt’s Personal Data Protection Law (PDPL)?
Egypt’s Personal Data Protection Law (PDPL) is the country’s primary framework governing how organisations collect, use, store, transfer, and protect personal data relating to individuals in Egypt.
It applies to organisations operating inside Egypt, as well as organisations outside Egypt that process the personal data of individuals located there. At its core, Egypt’s PDPL is about accountability: knowing what data you hold, why you hold it, who you share it with, and being able to evidence responsible handling.
The Update & Enforcement Timeline: November 2026
On 1 November 2025, Egypt issued the Executive Regulations to its Personal Data Protection Law (PDPL). In theory, that gives organisations roughly a year to prepare. Plenty of time… you might think.
In regulatory terms, this was the equivalent of someone quietly pressing “start” on a compliance stopwatch. And speaking as someone who reads privacy laws for fun (yes, really), a year disappears remarkably quickly when personal data is scattered across systems, suppliers, inboxes, cloud platforms, spreadsheets, and the inevitable mystery folder labelled “old stuff – do not delete.”
This update clarified how organisations must approach:
- Licensing and registration requirements
- Breach notification obligations
- International data transfers
- Record-keeping and documentation
- The appointment and role of Data Protection Officers
In practical terms, this is why November 2026 now matters.
Who is the law applicable to?
For businesses operating in Egypt or handling the personal data of people in Egypt, Egypt’s PDPL is no longer a future problem. It is a fixed regulatory deadline that will quietly creep up while everyone is busy doing their actual jobs.
And the question regulators will care about is not:
“Do you care about data protection?”
But:
“Can you show us how you do it?”
How does Egypt’s PDPL differ from other data protection laws?
Some privacy laws are philosophical. Egypt’s is practical (a practical Data Protection Law!)
It talks about licences, records, breach notifications, international transfers, and formally registered Data Protection Officers.
In other words, it is less interested in what your policy says and more interested in what actually happens when, e.g.:
• marketing launches a new campaign,
• HR sends files to an overseas payroll provider,
• IT migrates systems to the cloud, or
• someone clicks on the wrong email attachment at 4:55pm on a Friday.
This is where compliance stops being theoretical and becomes operational.
A better starting point than reading the law (trust me)
The instinctive reaction to a new law is to download it, skim the headings, and immediately feel tired.
A more useful first step is to ask some awkward but practical questions:
• What personal data do we really hold?
• Where is it stored?
• Who can access it?
• Who do we send it to?
• Which countries is it shared with?
• And why do we still have data from 2014?
These conversations are rarely quick, but they are incredibly vital for compliance and revealing.
Common answers include:
• “I think IT know.”
• “that is the third parties responsibility, not ours”
• “We’ve always done it that way.”
• “The supplier set that up years ago.”
• “I’m not sure anyone deletes that.”
None of this makes an organisation compliant.
And of course, regulators are interested in compliance, risk and accountability.
Simplifying Egypt’s PDPL so Employees Can Actually Follow
Privacy laws are written as if organisations document everything perfectly and never improvise.
Reality, of course, is slightly different.
This is why Egypt’s PDPL obligations need translating into day-to-day behaviour:
- Breach notification becomes: “If this happens, call these people, fill in this form, and do it today, not next week.”
- Data minimisation becomes: “This system deletes records after three years, and yes, backups too.”
- International transfer controls become: “Here is a list of our overseas suppliers, what they receive, and why.”
- Accountability becomes: “Here is the evidence.”
And the above is just the beginning. Good compliance is not typically exciting (for most). It is, however, what keeps organisations out of trouble!
Why paperwork suddenly becomes your friend
I know. No one wakes up hoping to build a beautiful ‘Record of Processing Activities’.
But Egypt’s framework is evidence-driven.
If asked, organisations should be able to produce:
• records of processing
• risk assessments
• breach logs
• supplier reviews
• training records
• governance notes.
Not because regulators love paperwork (although sometimes I suspect they do), but because documentation is how they tell the difference between:
“We take this seriously” and “We were meant to.”
And as someone who has sat on both sides of compliance discussions, I can confirm good documentation turns panic into a conversation. practical actions and ownership.
What Are the Penalties and Costs of Non-Compliance?
While exact penalties depend on the nature and severity of the breach, non-compliance can result in administrative fines ranging from approximately EGP 100,000 to EGP 5,000,000, with serious breaches potentially also carrying criminal penalties including imprisonment.
Beyond fines, the real cost of non-compliance often includes:
- Mandatory remediation under regulatory supervision
- Suspension of certain processing activities
- Reputational damage
- Loss of trust with customers, employees, and partners
In other words, non-compliance tends to be more expensive and disruptive than preparation.
The DPO’s role in Egypt’s PDPL Compliance
Egypt’s regulations formalise the Data Protection Officer role.
Which means it stops being something you squeeze in between other responsibilities and becomes an accountable governance function.
That role needs:
• independence,
• authority,
• time, and
• a direct line into decision-making.
Some organisations prefer independent support (which is how my role has become very popular), particularly where operations span countries or involve complex data flows.
What does not work is appointing a DPO in name only and hoping nobody notices.
I’ll let you into a DPO secret……Regulators usually do.
The Roadmap
If I were advising my own and my clients board (which I do, regularly), I would suggest:
Early 2026
Mid 2026
Later in 2026
TenIntelligence Thoughts
Egypt’s PDPL is not about catching people out. It is about forcing businesses to take responsibility for something they already handle every day: other people’s information. So, most organisations do not need to become privacy perfectionists. They need to become organised.
With November 2026 approaching, this is a good moment to replace “we should probably look at this” with “we know where we stand”. If you would like help working that out or simply want a clear view of what compliance would look like for your organisation in practice, feel free to get in touch.
No judgement. No scare tactics. Just clarity from a practical, friendly Global DPO.
Frequently Asked Questions (FAQs) on Egypt’s PDPL
What are the key compliance requirements under Egypt’s PDPL for businesses?
Organisations must understand and document their personal data processing, implement appropriate safeguards, manage third-party risk, appoint a qualified DPO where required, maintain records, and comply with breach notification and international transfer rules.
How can I assess my business’s readiness for Egypt’s PDPL regulations?
A structured PDPL gap analysis or readiness assessment is the most effective starting point. This examines data flows, governance, supplier arrangements, documentation, and incident response capabilities. Ten’s Data Protection Assessment can be a great starting point.
Do companies need a licence to process personal data in Egypt?
Certain processing activities and cross-border data transfers require regulatory approval or licensing under Egypt’s PDPL framework.
Can I hire a Data Protection Officer familiar with Egypt’s PDPL remotely?
Yes. Many organisations appoint external or outsourced DPOs with regional expertise, particularly where internal resources or local experience are limited.
What training programmes are available for staff on Egypt’s PDPL compliance?
Effective training focuses on role-based, practical scenarios rather than legal theory, helping employees understand how the PDPL affects their day-to-day work.
Written by
Lynsey Hanson | Global Data Protection Officer