Following our second article on managing Personal Data, DIFC-based companies should now be considering immediate practical steps to take in order to be compliant in their business operations.

Undefined capitalised terms in this article have the same definitions as provided in the first and second articles of this series.

Step 1 - Personal data audit assessment

We recommend that DIFC-based companies Processing any Personal Data carry out a thorough data audit to:

  1. ascertain what Personal Data they Process and hold;
  2. determine where the Personal Data is held (e.g. hard copy records, emails, cloud platforms, etc.);
  3. identify who has access to the Personal Data; and
  4. ensure the security of any Personal Data held (including within IT systems) is secure and reliable.

Step 2 - Consider compliance measures

Companies Processing Personal Data should look to do the following compliance exercises to ensure compliance with the DPL 2020.

  1. Implement "technical and organisational measures" within the business as a whole to ensure the lawfulness of Processing activities and the security of any Personal Data Processed. These measures essentially must:

    • consider the risk(s) and purpose(s) of Processing Personal Data on a case-by-case basis;
    • give access to Personal Data only to people within the organisation on a need-to-know basis;
    • ensure that only Personal Data which is necessary for each specific purpose is Processed;
    • incorporate measures within the IT department to protect Personal Data by default;
    • be reviewed and updated on a regular basis; and
    • ensure that any online platform through which services are offered requires Data Subjects[1] to choose their Personal Data collection settings.
  2. Draft a data protection policy to be circulated among employees setting out why and how Personal Data will be collected, as well as how long the Personal Data will be retained.
  3. Draft a privacy policy setting out the company's Processing activities (in electronic format), which must include the following information:
    • the name and contact details of the company's Controller[2] and Data Protection Officer ("DPO");
    • the type of Personal Data Processed by the company;
    • the purpose(s) of Processing the Personal Data;
    • the company's Personal Data retention policy;
    • a description of the type of Data Subjects;
    • a description of the people who will have access to Personal Data;
    • an account of the "technical and organisational measures" implemented to ensure the security of Personal Data; and
    • an account of all relevant safeguards applied when sharing Personal Data abroad (if applicable).
  4. Implement a deletion strategy and process to securely and permanently delete Personal Data after the retention period has expired.
  5. Prepare written agreements (such as a form of data processing/sharing agreement or data processing/sharing addendums) with suppliers, distributors and clients (where needed).

Step 3 - Consider the information that must be provided to Data Subjects when Processing their Personal Data

Does your company provide Data Subjects with the following information, in writing, when Processing their Personal Data (e.g. in a privacy policy or notice)? If not, the company must ensure it provides Data Subjects with the following:

  • the Data Subjects' rights under the DPL 2020;
  • who their Personal Data will be shared with;
  • how long their Personal Data will be stored for;
  • why their Personal Data is being collected;
  • the steps taken by the company to comply with its obligations under the DPL 2020;
  • whether the Processing of their Personal Data may restrict the Data Subjects' rights under the DPL 2020;
  • details of the security measures in place when their Personal Data is to be shared abroad; and
  • the DPO's contact details (if applicable).

What does the future of data protection hold regionally?

Unsurprisingly, the Middle East is now embracing new data protection frameworks and laws, aligning with the rest of the world and, in particular, with the principles of the GDPR. The UAE, particularly given the DIFC laws and regulations, has been at the forefront of this adoption. Data protection laws and frameworks are growing regionally, as are regulatory agencies and authorities responsible for the enforcement of the rights protected under the relevant laws. These rights and the laws protecting them will only continue to gain importance and attract higher degrees of attention, enforcement action and publicity across the region.

In view of this evolution towards more robust data protection regionally, we recommend that all companies active within the DIFC act quickly in their preparations for the enforcement of the DPL 2020 in order to minimise any future delays and avoid penalties for non-compliance.

Gowling WLG will continue to monitor the ongoing developments to guidelines and feedback from authorities before the introduction of the DPL 2020 and will continue to share these insights with you. If you have any questions or concerns please contact Tony Fielding of Gowling GWLG's Dubai office.

Should you wish to review the full draft of the DPL 2020, it has been published and is accessible on the DIFC's website.

For further information on data protection in the UAE please contact Alexandre Brazeau in our Gowling WLG Dubai office.

Read part 1 on the key changes and part 2 on how to manage personal data

Co-authored by Rifdi Shuhaimi and Tony Fielding.

Footnotes

[1] The identified or identifiable natural person to whom Personal Data relates.
[2] Any person who, alone or jointly with others, determines the purposes and means of Processing Personal Data.