The DIFC Data Protection Law 2020: Key Changes (part 1)

Coming Up: New Data Protection Law

Organisations operating within the Dubai International Financial Centre (DIFC) will be legally obligated to comply with the Data Protection Law 2020 ("DPL 2020") by 1 October of this year. The DPL 2020 aligns the DIFC's data protection framework with international best practices, i.e. the EU's General Data Protection Regulation ("GDPR") and the USA's California Consumer Privacy Act.

What changes will matter to you?

If your DIFC-based business involves Processing^[1] Personal Data^[2], you need to be aware that the new DPL 2020 will come into effect from 1 October 2020.  To the extent that you are already compliant with the DIFC's existing Data Protection Law and Regulations, there are only a few months left to prepare your business and to comply with the additional requirements imposed, as set out below.

Will Data Subjects be given new rights?

Similar to the GDPR, one of the main changes brought about by the DPL 2020 is to grant additional rights to Data Subjects^[3] to:  

• know who will receive their Personal Data;
• withdraw any consent given for that data to be Processed;
• restrict the Processing of that data;
• obtain that data from the Controller^[4];
• not be subject to automated decision-making; and
• not be discriminated against for exercising any of their rights under the DPL 2020.

What are the requirements to be aware of when Processing Personal Data?

When Processing Personal Data, organisations must fulfil the following:

1. For the Processing to be lawful, you (the processing organisation) must rely on one or more of the following legal bases to Process Personal Data:
   • Data Subject has given consent freely in a clear and unambiguous manner;
   • Processing is necessary for the performance of a contract to which the Data Subject is a party;
   • Processing is necessary for compliance with the DPL 2020;
   • Processing is necessary to protect the Data Subject's interests;
   • Processing is necessary on behalf of the DIFC, DIFC Courts or competent authorities; or
   • Processing is necessary to share Personal Data within a group of companies or safeguard the company's information database.
2. The Personal Data must be:
   • Processed fairly and transparently;
   • limited to the specific purpose(s) of its collection - if there are multiple purposes, consent must be obtained from the Data Subject in respect of each purpose;
   • accurate;
   • updated on a regular basis; and
   • retained for no longer than is necessary to achieve the specific purpose(s) of collection.

If Processing Personal Data, you will have to demonstrate compliance with these rules to the Commissioner of Data Protection ("Commissioner") and implement appropriate technical and organisational measures to protect Personal Data against loss, destruction or damage.

Do you need to appoint a Data Protection Officer ("DPO")?

In short, no. Only businesses that carry out activities that qualify as "High Risk Processing Activities" require the appointment of a DPO. These high risk activities include Processing where:

1. automated decision-making is involved;
2. new technologies are being used to Process Personal Data;
3. a large amount of Personal Data to be Processed is likely to cause high risk to Data Subjects; and/or
4. a significant number of Special Categories of Personal Data^[5] are to be Processed.

The role of the DPO will mainly be to monitor and assist an organisation with its compliance obligations and to prepare and submit annual assessments and data protection impact assessments to the Commissioner.

Can you share Personal Data abroad?

Yes, subject to certain conditions. A company may only share Personal Data abroad if it is:

1. appropriately safeguarded (e.g. through an enforceable agreement, binding corporate rules, etc.);
2. a one-time share that is necessary for a legitimate interest - however this must still be suitably safeguarded; or
3. exempted under the DPL 2020 (e.g. the Data Subject consents to the sharing of his/her Personal Data abroad).

Furthermore, companies will need to abide by the DPL 2020 guidelines if a governmental authority outside the DIFC requests the transfer of Personal Data.

A few practical tips:

• Assess your Personal Data sets and data flows and determine if these changes affect your current operations.
• Ensure your Data Subjects are able to exercise their rights under the DPL 2020 by providing them with two simple methods of communication (e.g. by phone, email or online).
• Process Personal Data lawfully, to the extent that is necessary for the purpose(s) of collection, in a fair and transparent manner.
• If you will be undertaking "High Risk Processing Activities", appoint a DPO to monitor and assist with compliance obligations.
• Duly safeguard any Personal Data that you share abroad.

For further information on data protection laws in the UAE please contact Alexandre Brazeau in our Gowling WLG Dubai office.

Read part 2 on how to manage personal data and part 3 on practical steps for preparation.

Co-authored by Rifdi Shuhaimi and Tony Fielding.

Footnotes

[1] Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting, erasure or destruction of personal data.
[2] Any information referring to an identified or identifiable natural person.
[3] The identified or identifiable natural person to whom personal data relates.
[4] Any person who, alone or jointly with others, determines the purposes and means of Processing personal data.
here
[5] Personal data revealing (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life, including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.