New ADGM Data Protection Regulations: What it means for your business?

02 March 2021

On 14th February 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021 (the Regulations). These Regulations will come into force and replace the current Data Protection Regulations 2015 regime following a transition period of 12 months for current businesses established in ADGM prior to 14th February 2021 and 6 months for new businesses established in ADGM on or following 14th February 2021.

These Regulations have been adopted soon after the DIFC Data protection Law No 5 of 2020 (DIFC DPL 2020), which govern the processing of personal data in the Dubai international Financial Centre (DIFC).

What is apparent from the Regulations, the recent DIFC DP Law 2020, and indeed the direction of data protection law generally in the UAE and wider region is that the General Data Protection Regulation (EU GDPR) principles are being adopted and reflected in new laws and regulations.

What are the key changes of the Regulations?

As mentioned above, the Regulations are no exception and align with the principles of the DIFC DP Law 2020 and the GDPR by introducing the following concepts and provisions:

  1. a Data Protection Fee for all Controllers subject to the Regulations. This fee has yet to be set by the Commissioner of Data Protection.
  2. the necessity of appointing a Data Protection Officer (DPO) in certain circumstances, i.e. where:
    1. processing is carried out by a public authority (excluding courts acting in their judicial capacity);
    2. processing operations require regular and systematic monitoring of Data Subjects on a large scale being undertaken; or
    3. processing Special Categories of Personal Data is undertaken on a large scale.
    Companies that process high volume of personal data and/or Special Categories of Personal Data (e.g. within the insurance, healthcare and tech sectors) may now be required to appoint a DPO who does not need to be an employee but rather a person with the right professional skills (including an in depth knowledge of the Regulations) to carry out this role.
  3. the notion of High Risk Processing Activities[1], which is also found in the GDPR and the DIFC DP Law 2020 leads to an obligation on the Controller to conduct a Data Protection Impact Assessment (DPIA). Given the width scope of what constitutes High Risk Processing Activities, businesses will be required to carry out a detailed DPIA of their processing activities; the results of which will be taken into account when a Controller, or indeed the Commissioner of Data Protection, in determining or assessing if appropriate measures have been taken in order to demonstrate compliance.
  4. a timeframe of two months to respond to Data Subjects' requests.
  5. the obligation for Controllers to notify the Commissioner of the Data Protection of a Data Breach within 72 hours of becoming aware of it ("Data Breach Notification"). This is one of the obligations of the Controller taken from the GDPR.
  6. a new obligation of having appropriate policy documents when processing Special Categories of Personal Data.

    In practice, companies governed by the Regulations will need to update or draft policies and contractual documents, including and/or addressing the following:

    1. a data protection policy to be circulated among employees setting out why and how personal data will be collected, as well as how long the personal data will be retained;
    2. a privacy policy setting out the company's processing activities (in electronic format), which must include the following information:
      1. the name and contact details of the company's Controller and DPO;
      2. the type of personal data processed by the company;
      3. the purpose(s) of processing the personal data;
      4. the company's personal data retention policy;
      5. a description of the type of data subjects;
      6. a description of the people who will have access to personal data;
      7. an account of the "technical and organisational measures" implemented to ensure the security of personal data; and
      8. an account of all relevant safeguards applied when sharing personal data abroad (if applicable).
    3. the implementation of a deletion strategy and process to securely and permanently deleted Personal Data after the retention period has expired.
    4. the preparation of written agreements (such as a form of data processing/sharing agreement or data processing/sharing addendums) with suppliers, distributors and clients (where needed).
  7. significant fines (for Controllers who would be found in breach of the Regulations) not exceeding $28 Million. It is worth noting that data subjects will now be able to seek compensation if they have suffered from a data breach.

Many of the new requirements in the Regulations, reflect well- considered and detailed existing principles in the UK and EU for example, where guidance and direction can be relied upon in considering you best compliance options.

In conclusion

This new legal framework shows a conscious and concerted effort from the UAE to adopt and comply with international data protection standards and best practice showcased by the GDPR. This will bring many advantages to businesses in the country, as the new regime is likely to increase and facilitate data protection flow between the UAE and other countries that are data protection conscious, such as the states of the European Union or the United Kingdom.

In view of this evolution towards more robust data protection regionally, we recommend that all companies active within the ADGM act quickly in their preparations for the enforcement of the Regulations in order to minimise any future delays and avoid fines for non-compliance.

Gowling WLG will continue to monitor the ongoing developments to guidelines and feedback from authorities before the full implementation of the Regulations and will continue to share these insights with you.

If you have any questions or concerns please contact Tony Fielding of Gowling WLG's Dubai office on +971 (0) 44375100.


[1] The Regulations define "High Risk Processing Activities" as the processing of personal data where one or more of the following applies: (a) a considerable volume of personal data will be processed; (b) the processing is likely to result in high risk to the rights of data subjects; (c) the processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automatic processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (d) the processing includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise their rights; or (e) the processing includes Special Categories of Personal Data, except where processing of such data is required by applicable law".

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.