The DIFC Data Protection Law 2020: How to manage Personal Data (part 2)

7 minute read
11 May 2020


Following our first article on the key changes to the DPL 2020, DIFC-based companies now need practical advice on how their organisations should manage the Personal Data they Process as part of their business operations. Undefined capitalised terms in this article have the same definitions as provided in the first article of this series.

What should you do if a governmental authority requests that you share the Personal Data you hold?

Before sharing any Personal Data with a federal governmental authority, a company's Controller must satisfy all the following conditions:

  • exercise reasonable caution and diligence regarding the validity of the request (e.g. ensuring that the authority has the power to make the particular request);
  • ensure that the extent to which Personal Data is shared is proportional and relevant to the purpose and objectives of the request;
  • assess the potential risks to the Data Subject's rights and implement appropriate measures to minimise such risks (e.g. redacting the Data Subject's Personal Data to ensure that the Personal Data that is shared is limited to that which is necessary to fulfil the objectives of the request); and
  • obtain a written declaration from the federal governmental authority undertaking that it will respect the Data Subject's rights under the DPL 2020.

What if there is a security breach within your organisation?

Should there be a Personal Data Breach[1] compromising the security, confidentiality or privacy of Personal Data held by your organisation, Controllers must notify the breach to the Commissioner of Data Protection ("Commissioner"). If a breach is classified as 'high risk', the Data Subjects who are affected by the breach must also be notified.

The notification must include the following information:

  • the number of Data Subjects and Personal Data records affected;
  • the name and contact details of your Data Protection Officer ("DPO") (if applicable);
  • the likely effects of the breach; and
  • the measures to be taken by the Controller to mitigate the likely adverse effects of the breach.

It is important to note that in order to demonstrate compliance with the DPL 2020, you should maintain a readily-accessible document in electronic form detailing any and all Personal Data breaches that have occurred.

Are you liable for damage suffered by Data Subjects?

Potentially yes. At the discretion of the DIFC Courts, a Controller and/or Processor[2] may be liable to pay compensation to Data Subjects whose Personal Data is affected by a breach. Unlike in the GDPR, levels of penalties are not detailed in the DPL 2020. Additionally, an administrative fine (the amount of which will be determined by the Commissioner) could be imposed.

Under the DPL 2020, the liability of Controllers and Processors is assessed as below:

Role Liability
Controller Is liable if it processes Personal Data in any manner that infringes the DPL 2020.
Processor Is liable if it acts in a way that is contrary to the Controller's instructions or if it has not complied with its obligations as set out by the Controller.
Controller and Processor Are jointly and severally liable where both are responsible for the damage caused to the Data Subjects involved.

When and how must Personal Data be deleted?

Your organisation must have a clear retention policy in place, setting out when the retention of Processed Personal Data is no longer necessary and must be deleted. Where the scope and purpose of Processing[3] the Personal Data no longer exists or where a Data Subject[4] requests deletion (in limited circumstances), you must ensure that the relevant Personal Data is permanently and securely deleted.

A few practical tips:

  • Implement an internal data retention policy to ensure permanent deletion of Personal Data after it is no longer needed.
  • Prepare and maintain an electronic document listing any Personal Data breaches.
  • Share Personal Data with federal government authorities only where you can demonstrate fulfilment of the conditions (as set out above) as required by the DPL 2020.
  • Ensure that all staff Processing Personal Data within your company (and any Controllers and/or Processors you do business with) are made aware of their responsibilities and potential liability, and are able to comply with the DPL 2020.

Read part 3 on practical steps for preparation

Co-authored by Rifdi Shuhaimi and Tony Fielding.


[1] Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting, erasure or destruction of Personal Data.
[2] The identified or identifiable natural person to whom Personal Data relates.
[3] A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
[4] Any person who Processes Personal Data on behalf of a Controller.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.