Data protection officer’s role

DIFC entities must now appoint a data protection officer (a DPO) in certain cases. This requirement applies to certain DIFC bodies, as well as all entities undertaking high- risk processing activities (including, among other things, processing that includes the adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights). The DP Law regulates the requirements and the legal status of a DPO. The law provides that the DPO should be resident in the United Arab Emirates (UAE); however, it also recognises that, in some cases, organisations will already have an appointed DPO outside the UAE and so provides exception for this.

Extra-territorial application

The DP Law includes within its scope the processing of personal data by businesses operating or conducting business in or from the DIFC, regardless of where the processing takes place and whether the business processing personal data is incorporated in the DIFC. Therefore, businesses conducting activities within the DIFC will no longer be able to circumvent these obligations by processing personal data outside of the DIFC. This is somewhat similar, in principle, to the extra-territorial application of the GDPR.

Data subject rights

The data subject rights in the DP Law, which are now broader, are similar to the rights under the GDPR. These new rights include, without limitation, (i) the right to withdraw consent, (ii) the right to restriction of processing, (iii) the right to non-discrimination against a data subject (the individual to whom the personal data relates) for exercising any of the data subject rights, (iv) the right to data portability, (v) the right to object to automated individual decision-making including profiling, and (vi) the right to know the recipients of the personal data.

Consent

Strict rules are now in place around the circumstances in which any person in the DIFC who determines the purposes for which, and the manner in which, any personal data is to be processed (the Controller) can rely upon the consent of an individual as a ground for processing personal data. The standard of consent reflects certain aspects of the GDPR. The DP Law requires consent to be freely given by the data subject through a clear affirmative act showing an unambiguous indication of consent.

The Controller should implement appropriate measures to assess the ongoing validity of the consent and withdrawal of consent, including documenting the assessment in order to demonstrate compliance with the new law.

Data breaches

If the business is registered as a ‘data controller’, the DIFC Commissioner of Data Protection (the Commissioner), and in certain circumstances the data subject, will need to be notified ‘as soon as practicable’ in the event of a data breach that compromises any data subject’s security and rights. Fines may be imposed for any failure to notify within the relevant time limits imposed by the DP Law.

Governance / record of processing

As part of the DP Law’s governance / accountability requirements, the Controller will need to keep detailed records of the personal data they process, which has to contain at least the information prescribed in the DP Law, in a designated register.

Of course, as key information will be required to be documented, no doubt this will be a time consuming task for most organisations but it should be prioritised, reviewed and maintained on an ongoing basis to ensure compliance with the law.

Fines

As you may be aware, breaches of the GDPR can give rise to substantial administrative fines of up to tens of millions or a certain percentage of an organisation’s' total annual worldwide turnover for the preceding financial year, depending on the breach. In relation to the DP Law, the Commissioner may impose administrative fines in relation to contraventions of particular obligations, which range from US$10,000 - US$100,000.

Also, the Commissioner has the discretion to issue larger fines for more serious contraventions and the risk of actual harm to any relevant data subjects. It is worth noting that data subjects also have the right to seek compensation for breaches of their individual rights by bringing legal proceedings before the DIFC courts.

What should DIFC entities look to do?

Starting from 1 October 2020, all DIFC entities will be required to be in full compliance with the requirements of the DP Law. Any entities that have not yet completed the implementation of the new systems and requirements should endeavour to do so by that date.

How we can help?

To ensure compliance with the DP Law, some of the issues we can assist DIFC entities with include (without limitation):

• Auditing the entity’s existing systems, flagging any instances of non-compliance and assisting in remedying such non-compliance
• Reviewing and updating the DIFC entity’s existing policies, terms of business and other internal and business related material
• Providing high-level training for the DIFC entity’s staff to ensure that all personnel have the appropriate level of understanding of their respective responsibilities under the DP Law
• Reviewing existing employment and commercial agreements and recommending relevant changes and/or notices