Following last year's consultation in June 2019, the Dubai International Financial Centre (DIFC) has enacted Data Protection Law DIFC Law No. 5 of 2020 (DPL) to regulate the processing of personal data in the DIFC.
The DPL comes into force on 1 July 2020. However, businesses will have a grace period of 3 months, until 1 October 2020, to bring their organisations into compliance with the new law.
The DPL replaces Data Protection Law DIFC Law No.1 of 2007 and brings the DIFC's data protection regime in line with global data protection and data privacy standards, including Europe's General Data Protection Regulation and the California Consumer Privacy Act.
So What's New?
The DPL introduces a range of new concepts and obligations to entities based in the DIFC, including:
Greater Accountability Requirements: The DIFC expects certain organisations that undertake high risk processing to appoint a Data Protection Officer. Organisations will also need to keep a record of what data they process in a register and there is a formal requirement to maintain data protection policies to ensure compliance with the DPL.
Obligations on Data Processors: The DPL extends compliance obligations beyond data controllers, holding data processors directly accountable for the processing activities they undertake on behalf of controllers. Suppliers operating in the DIFC such as payroll providers or cloud software providers will need to closely review what changes are needed in their business to ensure compliance.
Tougher Supply Chain Requirements: Where services are outsourced to suppliers acting as data processors, the DIFC expects contracts to contain much more robust data protection contractual provisions.
Data Breaches: Where personal data is compromised, the controller must assess whether they need to notify the Commissioner of Data Protection about the breach "as soon as feasible in the circumstances". Importantly, the Commissioner has the discretion to impose fines for contraventions of the DPL "in an amount he considers appropriate and proportionate".
Consent Changes: The DPL includes enhanced data subject rights, including stricter rules around when consent can be relied upon as a processing ground. Organisations will need to assess carefully whether they rely on consent to process personal data and whether such processing meets the new requirements.
Data Export Restrictions: As under the old law, where personal data is transferred outside the DIFC (including to another UAE jurisdiction) in order to be processed (foreign territory), the controller must ensure that the foreign territory possesses equally robust data protection laws and regulations. However, under the DPL, much more detailed requirements have been included. A range of options are provided to legitimise transfers outside of the DIFC that can be relied upon.
Governance of High Risk Activities: Controllers and processors who engage in high risk processing (such as large-scale processing of sensitive personal data, or processing using Blockchain, A.I., machine learning or other emerging technology) must remain cognizant of the risks inherent in such processing and demonstrate vigilance by conducting data protection impact assessments (DPIAs).
What does this mean for me, a company based in the DIFC?
Companies processing personal data will need to audit their existing data use in order to update processes, contracts, notices and employee awareness to ensure compliance with the DPL. In particular:
Audit: Companies should consider undertaking an audit of their processing activities to ensure that (1) data being processed is relevant, accurate and being processed for the purposes for which it was collected; (2) consents obtained remain valid; and (3) appropriate technical and operational measures are in place. Audits are crucial to start populating registers of processing activities that record personal data use.
Accountability: Written policies and procedures need to be in place to demonstrate compliance with the regime. This should include data breach management procedures and handling data subject rights.
Employment: Companies should update employment contracts to reflect the DPL regime, taking note changes to consent requirements.
Supply Chain Management: Companies outsourcing their processing activities (e.g. payroll, HR, recruitment, direct marketing, employee benefits) will need to enter into robust data processing agreements with their suppliers to ensure compliance with the DPL. Audits of supply chain are essential.
Notices: Businesses should ensure that employees, customers and suppliers are all informed of how and why their personal data is being processed and the data subject rights they benefit from. This will require updating of privacy notices.
Training: Companies should undertake staff training to ensure that changes are understood and to explain what is expected of staff when handling personal data.
How can we help?
AG's experienced data protection professionals can help prepare organisations for the new DPL. Our firm's Data & Privacy Solutions team is experienced in handling data protection compliance for many international organisations and FTSE100 companies. For practical assistance please contact our team.