New DIFC Data Protection Law Takes Effect 1 July

June 24, 2020

Requirements under a new Dubai International Financial Centre data protection law will apply within the DIFC from 1 July 2020.

The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DPL 2020) will come into force on 1 July 2020, repealing and replacing the DIFC Data Protection Law No. 1 of 2007 (2007 DPL). The DPL 2020, as with the 2007 DPL, regulates the collection, handling, disclosure, and use of personal data within the DIFC, but more closely aligns legislation in the DIFC with the framework of the EU General Data Protection Regulation (GDPR).

All business incorporated in the DIFC and other data controllers or processors that process personal data in the DIFC will become subject to the DPL 2020. Processing in the DIFC occurs when the means or personnel used to conduct the processing activity are physically located in the DIFC, such as a server or services employees.

The DPL 2020 provides for a three-month transition period during which businesses must start to implement the necessary changes for compliance, and full compliance is mandatory as of 1 October 2020. All businesses that are subject to the DPL 2020 should be conducting an internal review of their compliance policies as soon as possible.

The board of directors of the DIFC Authority will issue the necessary data protection regulations to provide guidance to data processors and controllers regarding notifications to the commissioner of data protection, applicable fines for failing to comply, and recordkeeping, and determining the list of foreign jurisdictions where data transfers from the DIFC are lawful.

The DPL 2020 introduces the following key changes:

  1. Data subjects must give clear and unambiguous consent to the processing of their personal data for specific purposes, and they have additional rights in relation to their personal data, including the right to data portability, the right to withdraw consent, and a time limit in which to respond to a data subject access request.
  2. Additional information must be provided in privacy notices, such as the lawful basis on which personal data is processed by the controller and, where applicable, the fact that personal data is intended to be transferred outside the DIFC (if applicable).
  3. Businesses must conduct a data protection impact assessment (DPIA) in relation to “high-risk processing activities” under Article 20 of the DPL 2020.
  4. There is a requirement for data controllers to produce a record of processing activities (ROPA) which complies with the requirements of Article 15 of the DPL 2020.
  5. General requirements for the processing of personal data will come into force, including that personal data must be processed fairly and transparently; be limited to the specific purpose(s) of its collection; be accurate; be updated on a regular basis; and be retained for no longer than is necessary to achieve the specific purpose(s) of collection.
  6. There is a requirement under Article 16 of the DPL 2020 to appoint a data protection officer (DPO) where a controller or processor performs high-risk processing activities. Businesses must be able to provide details of the persons with such responsibility to the DIFC data protection commissioner upon request. The DPL 2020 provides detailed requirements with regard to the appointment of the DPO, including independence, ability to perform the tasks required, and access to senior management.
  7. Controllers will be required to notify the data protection commissioner if a data breach compromises any data subject's confidentiality, security, or privacy.
  8. Additional auditing and recordkeeping requirements will be introduced, including that data controllers must produce a ROPA which meets the specific requirements set out under Article 15 of the DPL 2020.
  9. Controllers must enter into a legally binding agreement with each of their processors that meets a set of carefully defined conditions.
  10. The data protection commissioner now has the power to issue more serious fines for breaches of specific articles under the DPL 2020. Fines range from USD 25,000 to USD 100,000 for each infringement, of which there are a total of 35 under the DPL 2020. The maximum fine under the 2007 DPL was USD 25,000.

High-risk processing activities fall under any of the following circumstances:

  1. New technologies are being used to process personal data.
  2. There is a considerable amount of personal data to be processed and it is likely to cause high risk to data subjects.
  3. The processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing.
  4. A significant number of special categories of personal data are to be processed.

Businesses that fall within the jurisdiction of the DPL 2020 should be taking immediate steps to conduct an assessment of their internal data protection policies and identify gaps. Key considerations will be ensuring that a DPIA is undertaken where necessary and creating a ROPA. Businesses will also need to consider whether their privacynotices are compliant with the DPL 2020 and check the policies that they have in place for a data breach and whether it would be sufficiently escalated.

As the new requirements mirror those in the GDPR, businesses that already meet GDPR compliance requirements should be in a good position to meet the DPL 2020 requirements.