With the Court of Justice of the European Union recently striking down the “EU-US Privacy Shield” as well as the ever increasing reach of the GDPR and California privacy laws, the business world has never seen a more challenging time to consider protections around client and employee data. As a regulator, the Dubai International Financial Centre is now taking its turn to heighten regulatory control around the transfer, control and processing of personal data.
From 1 October 2020, all companies incorporated in the DIFC will need to ensure that relevant changes are undertaken with respect to data protection programs and measures, to ensure compliance with DIFC Data Protection Law 2020 (DPL).
The DPL replaces the DIFC Data Protection Law of 2007 and all regulations underpinning that old law. The DPL came into effect on 1 July 2020 and provides for a three month window for DIFC companies to ensure compliance. The DPL applies to the processing of personal data by a “Controller” incorporated in the DIFC, regardless of whether the data processing occurs within the confines of the DIFC or otherwise.
While not an exhaustive list, some of the key points to come out of the DPL are:
- Personal data (including that of employees) must be kept for an “legitimate purpose” and relevant consents obtained if transferring to third parties, including intergroup transfers outside of the DIFC.
- Specific rules apply to “special categories” of personal data and must be strictly adhered.
- Significantly, those Controllers of personal data within the DIFC are required to establish a program to demonstrate compliance with the DPL, implement and maintain (updating when necessary) appropriate technical and organisational measures to demonstrate that data processing is performed in accordance with the DPL, implement and maintain a data protection policy in writing; and register with the Commissioner of Data Protection by filing a notification of data processing operations.
Many DIFC Companies will need to consider undertaking the following, even at a basic level, in order to achieve DPL compliance prior to 1 October:
- Undertaking an assessment of the security measures implemented in relation to the appropriateness of personal data transfers.
- Preparing a Privacy Collection Notice for issue to all employees.
- Preparing a Data Protection Policy designed to demonstrate compliance with the DPL.
- Maintaining a written record of Processing activities.
- Ensure Binding Corporate Rules (BCRs) are prepared where appropriate and submitted to the Commissioner of Data Protection for approval, to permit the transfer of Personal Data to certain jurisdictions.
- Appointing an appropriate Data Protection Officer.
- Ensuring appropriate agreements are in place with data processors (third parties) to meet the requirements of the DPL.
- A Data Breach Response Plan is, where appropriate, in place to ensure existing data breach response plans are consistent with the DPL requirements.
The DPL is closely aligned as to framework and content with various leading data protection regimes globally, and is now consistent with the EU’s GDPR. Like its EU equivalent, the DIFC Commissioner of Data Protection now has wide ranging powers in administration of the DPL as well as relevant and appropriate powers of enforcement to promote best practices.
If you are in doubt about the obligations of your DIFC entity and require assistance, please contact Ben Constance, Partner at DWF at firstname.lastname@example.org, Umera Ali, Partner at DWF at email@example.com or Aisha Gondal, Director at DWF at firstname.lastname@example.org.