Data Protection and Cyber Security
Data protection and cyber requirements for Procurement systems, suppliers and information handling.
Group Policy & Procedure | Document No. | P-POL-017 |
Group Supply Chain | Ver. No. | Rev Date | 0.4 | 08 APR 2026 |
Title: Data Protection & Cyber Security | Effective Date | 08 April 2026 |
BUKHATIR GROUP
Strength through Diversity
Group Policy and Procedure
Group Supply Chain (GSC)
Data Protection & Cyber Security
PDPL, Supplier Standards & Oracle Controls
Document No: P-POL-017
Copyright © 2026 Bukhatir Group
Revision Control
This document is issued under the authority of Bukhatir Group and applies when carrying out the activities described. Revisions may be issued as necessary under the authority of the Group Head of Procurement. Revision history is recorded below with every revised policy.
Revision History
Ver. No. | Effective Date | Description |
|---|---|---|
02 | September 2016 | Original Procurement Policy |
0.3 | March 2026 | Procurement Policy – Data Protection & Cyber Security |
0.4 | 08 April 2026 | Redesign, content modernization & flowcharts – Data Protection & Cyber Security |
Revision Sign-Off
Approving Committee | Name | Signature |
|---|---|---|
Endorsed by — Group Head of Supply Chain | Mohamad Koussa | |
Reviewed by — BIIL CEO | Mr. Ayman Ismail | |
Reviewed by — Group Chief Financial Officer | Mohamad Adnaan Sait | |
Approved by — Group Vice Chairman & Group CEO | Mr. Salah Bukhatir |
Distribution List
# | Departments |
|---|---|
1 | Business Unit Procurement Departments |
2 | Group Supply Chain (GSC) |
3 | Finance, Legal, Compliance, Internal Audit |
4 | Business Unit Management |
1. Purpose
This policy defines the minimum data protection and cyber-security requirements for suppliers handling Bukhatir Group data, and the controls applied within the procurement function to protect Oracle and related systems.
2. Scope
Applies to all suppliers who access, store, process or transmit Group data, and to all Group staff operating within the procurement technology stack.
3. Legal Basis
UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), UAE Cyber-Crime Law, and internal Group Information Security Policy.
4. Supplier Minimum Standards
- Written Information Security Policy aligned to ISO/IEC 27001 principles.
- Access control, multi-factor authentication and least-privilege.
- Encryption of personal and confidential data at rest and in transit.
- Documented incident response plan with 24-hour notification SLA to the Group.
- Sub-processor disclosure and written consent for any onward data transfer.
- Right-to-audit clause and annual cyber attestation for Tier 1 suppliers.
5. Internal Controls
- Oracle access granted on least-privilege basis and reviewed quarterly.
- All tender and contract data classified per the Group Data Classification Scheme.
- Mandatory cyber-awareness training for all procurement staff.
- Phishing simulation tests run quarterly by IT Security.
6. Incident Management
Suspected cyber incidents affecting procurement data shall be reported immediately to IT Security, Compliance and the Head of Supply Chain. A joint root-cause review is mandatory.
7. Reference Form
Form F-CYB-01 — Supplier Cyber-Security Self-Assessment.
8. Definitions & Acronyms
Acronym / Term | Definition |
|---|---|
BU | Business Unit |
DLP | Data Loss Prevention |
ERP | Enterprise Resource Planning |
GDPR | General Data Protection Regulation |
GSC | Group Supply Chain |
ICT | Information and Communications Technology |
NDA | Non-Disclosure Agreement |
Oracle | Enterprise Resource Planning System |
UAE | United Arab Emirates |