Everything you need to know about the new DIFC Data Protection Law

With the increased flow of information and the development of technology across borders, additional importance is given to data protection matters. Following the steps of the European Union and adopting the well-recognized concepts of the General Data Protection Regulation (GDPR), the Dubai International Financial Centre (the DIFC), one of the first jurisdictions in the Middle East to draft a data protection law in 2007, is revamping its data protection regime and a new DIFC Data Protection Law is expected to enter into force on July 1^st, 2020 (the New DIFC Data Protection Law).

Through the New DIFC Data Protection Law, the DIFC aims to be placed among the top tier free zones to regulate the processing of data through platforms and applications. The New DIFC Data Protection Law will be applied equally on controllers and processors incorporated in the DIFC, regardless of whether the processing of personal data is taking place in or outside the DIFC.

Companies will benefit from a three-month grace period to fulfill the requirements of the New DIFC Data Protection Law. What are the key changes of the New DIFC Law and what actions should be taken to ensure compliance with the new data protection rules and avoid sanctions?

1. Key Changes and Similarities with the GDPR

The New DIFC Law adopts many familiar standards introduced by the GDPR including the following:

• Using the same definitions for “Data Subject”, “Processors”, “Controllers”, “Personal Data” and other definitions.
• Adopting the principles of fairness, lawful and transparent processing of data.
• Prohibiting data processing without an individual’s clear and affirmative consent.
• The ability for individuals to withdraw consent and to access and request the deletion of their data (i.e. “the right to be forgotten”).
• Meeting the adequate level of protection test: data sharing and transfer of the processed data can only take place if (1) the transfer is to a country or international organization providing a high level of data protection or applies data protection standards similar to the ones adopted by the Commissioner of Data Protection in the DIFC, (2) if appropriate safeguards are put in place, or (3) if the transfer of data is based on the explicit consent of the data subjects.
• Appointing a Data Protection Officer (DPO), which is mandatory for entities undertaking ‘high-risk processing activities’ (e. companies with a large-scale processing of sensitive personal data using blockchain, artificial intelligence, machine learning or other emerging technologies).
• Adopting data minimization, accuracy, storage limitation, security, and accountability measures. In other words, a compliant business should not process any data which is not necessary to the services provided by the c
• The right for an individual to be aware of how his/her information is collected, processed, and controlled.
• Controllers should notify the Commissioner of Data Protection of the DIFC if a breach of a data subject’s confidentiality, security or privacy happened or will happen at some point while processing the data no later than 72 hours

In addition to the above, the New DIFC Data Protection Law provides that data subjects cannot be discriminated against for exercising their rights and that all data subjects should have the same rights towards processing and controlling their data.

2. Actions to be Taken to Avoid Sanctions

If you are looking to incorporate a company in the DIFC, you are required as a shareholder, to notify the Commissioner of Data Protection in the DIFC of the volume and type of personal data that will be processed through your company.

If your company is already established in the DIFC, consider revisiting your platform’s terms and conditions and privacy policy and updating your agreements to include the new standard of data privacy. In addition, you should train and inform your company’s employees, customers, and suppliers about your business’s processing strategies and how to handle the collected data.

Failing to comply will hold you liable. According to the New DIFC Data Protection Law, controllers and processors can be subject to (1) administrative fines amounting to USD 100,000 (2) unlimited fines imposed by the Commissioner of Data Protection for breaches, and (3) compensation that should be paid to the data subject directly upon court order.

Way forward

Further updates are expected to be provided by the DIFC within the next months. However, preparation to comply with the New DIFC Data Protection Law during the grace period is crucial to avoid fines and sanctions. You can always Book an online Consultation with a lawyer on Lexyom to discuss the particular needs of your business and the updates to introduce to your platform’s agreements.