By Thomas Bicknell
The new Data Protection Law works to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies
Following the recent update to the Dubai International Financial Centre (DIFC) Data Protection Law, which came into effect on July 1, businesses in the DIFC have three months to update their policies, processes and contracts to reflect the requirements of a wide-ranging new set of requirements, which include expanded rules on the processing of personal data, new rights for data subjects, and notification of data breaches.
The new Data Protection Law, DIFC No. 5 of 2020 (the DP Law) has been drafted in line with international best practice standards, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, and lays out new rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC by providing standards and controls for the processing and free movement of personal data.
It also works to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
The DP Law applies to all businesses who are incorporated in the DIFC who are processing personal data. The actual location of processing is immaterial and has been introduced to remove any doubt over which firms are in scope. The DP Law also applies to businesses not incorporated in the DIFC, but who process personal data in the DIFC as part of "stable arrangements", rather than just on occasion.
This means that payroll providers, cloud software providers and other suppliers who are processing personal data in the DIFC will need to be aware of their obligations under the law. Businesses now have three months to prepare for the 1 October 2020 deadline or run the risk of facing fines from $5,000 - $100,000 for non-compliance.
Responsibility for meeting the new requirements of the DP Law cannot be left solely to legal and compliance teams. Instead, compliance with data privacy obligations requires everyone in an organisation to understand their role and responsibility to keep personal data safe and secure.
There are several actions businesses should consider taking between now and 1 October 2020 to ensure they are prepared for and compliant with the new law.
Firstly, businesses will need to conduct a thorough review of their current and future planned processing activities to identify what personal data is being collected and ensure that any data being collected is relevant, accurate and being processed for the specific purpose for which it was collected. This includes ensuring it has a lawful basis to process such data.
Businesses should also look at populating registers of processing activities that record personal data use and start raising internal awareness of the new requirements. They should look to update privacy notices and customer facing terms and conditions to address the changes in the DP Law – this will include alerting customers to their new data subject rights – and review and remediate existing controller/processor contractual arrangements and put contracts into place with processors that contain the mandatory provisions as required by the DP Law.
In addition, businesses registered in DIFC should start implementing new data breach procedures to ensure that notifications are made to the commissioner and data subject, as required, in a timely manner.
Under the terms of the DP Law, companies conducting so-called 'high risk processing activities' are required to appoint a data protection officer (DPO), who will be responsible for monitoring compliance with the law and other applicable privacy laws, acting as a contact point for the commissioner, and overseeing all data protection impact assessments the business undertakes.
It is therefore essential for business owners to evaluate whether 'high risk processing activities' are being conducted to ensure compliance with the new law. High risk processing activities include activities such as processing large amounts of personal data, including staff and contractor personal data, or processing data through new technologies or methods, which can pose a greater risk to the security or rights of a data subject.
The implementation of the new DP Law is likely to help the DIFC in its bid for adequacy status with the European Commission. If achieved, the DIFC will be deemed to be offering an equivalent standard to the protections afforded in other recognised data privacy regimes worldwide. In practice this should mean that businesses operating in the DIFC will be able to transfer personal data into and out of the DIFC with much more ease.