The new Dubai International Financial Centre (DIFC) Data Protection Law (DPL) 2020 law, coming into effect from July 1, is expected to bring enhanced governance and transparency obligations.
Even though the law comes into force from July, businesses to which the law applies will have a grace period of three months, until October 1, 2020, giving organisations just a few months to make necessary changes required to bring compliance frameworks into line with the new law.
The new Data Protection Law replaces Data Protection Law DIFC Law No 1 of 2007, which was already one of the most advanced in the region, places Dubai and DIFC at the forefront of data protection in the region and enabling the financial hub to enhance the Centre’s data protection practices related to global data, security and privacy best practice.
It is now more important than ever for companies to have a data management strategy to ensure data compliance is taking place within an organisation – both from an operational and cultural perspective.
By encouraging data responsibility and implementing the latest data management tools, businesses can do their bit in preparing themselves for DPL 2020.
The new DPL 2020 law will actively benefit companies in a range of ways. Not only will it manage data effectively and ensure data compliance, but it will also increase companywide efficiency; provide a competitive advantage and protection against malware attacks.
The new DIFC Law reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR) seen by many as the ‘gold standard’ for data protection compliance.
“From our previous experience in preparing for the GDPR coming into force, we recommend that organisations should start planning now. In particular, organisations should prioritise fact gathering and other time-intensive tasks such as contract remediation,” Kellie Blyth, head of Data and Technology at Baker McKenzie, said.
However, she said that there are some key differences between the GDPR and new DIFC Law, which organisations should be aware of.
“The new DIFC Law requires Controllers and Processors to appoint a DPO [data protection officer] if they carry out high-risk processing activities on a systematic or regular basis or if required to do so by the Commissioner.
“If a Controller or Processor is not required to appoint a DPO, the organisation must allocate responsibility within its organisation for oversight and compliance with its data protection obligations under the new DIFC Law (or any other applicable data protection law),” she said.
Time to act
The DPO must reside in the UAE, Blyth said unless the DPO is employed within the organisation’s group and performs a similar function for the group on an international basis.
Blyth urged organisations in the DIFC to move swiftly to review their current data processing practices and to identify where their existing data protection policies and procedures will need to be updated to reflect the requirements of the new law.
“An important difference between the new DIFC Law and the GDPR is that DPOs are required to conduct an annual assessment which reports on the Controller’s processing activities and whether it intends to perform any “high-risk processing activities” in the following year,” Benjamin Slinn, Senior Associate for Data and Technology at Baker McKenzie, said.
He said that breaches of the GDPR can give rise to significant administrative fines of up to €10m or €20m or 2% or 4% of an organisations’ total annual worldwide turnover for the preceding financial year, depending on the provision of the law that has been breached.
By contrast, he said the new DIFC Law does not stipulate a maximum cap on fines and gives the Commissioner discretion to impose a general fine in an amount the Commissioner considers appropriate and proportionate taking into account the seriousness of the breach and risk of actual harm to data subjects.
“The Commissioner can also impose administrate fines concerning contraventions of particular obligations under the new law which are set out in Schedule 2 and can range from $20,000 to $100,000,” he said.
Key differences between GDPR and DIFC Law
1. To whom does the new DIFC Law apply
The new DIFC Law applies to the processing of Personal Data by Controllers or Processors incorporated in the DIFC, regardless of whether the processing takes place in the DIFC; and Controllers or Processors, that process Personal Data in the DIFC (i.e. where the means or personnel used to conduct the Processing are physically located in the DIFC) as a part of stable arrangements (other than on an occasional basis), regardless of their place of incorporation.
Therefore, although, the New DIFC Law does not have an extraterritorial scope in the same way as the GDPR, it will capture Personal Data processing activities that take place outside of the DIFC, which are conducted by a company incorporated in the DIFC as well as Personal Data processing operations carried out by non-DIFC organisations using people or systems in the DIFC.
2. Data protection principles
As with the GDPR, the new DIFC Law sets out a series of data protection principles that organisations must comply with, which include (amongst others) familiar concepts such as lawfulness, fairness and transparency and privacy by design and default.
The new DIFC Law imposes an express obligation on Controllers and Processors to establish a compliance program to demonstrate compliance with the new law. The complexity and level of detail in the program will depend in part on the scale and resources of the organisation in question as well as the risks the processing poses to data subjects. However, the program must demonstrate that the New DIFC Law’s core principles are embedded within the organisation.
3. Data protection impact assessments
Similar to the GDPR, the DIFC Law requires a data protection impact assessment (or DPIA) to be conducted in certain circumstances, specifically where the organisation is conducting “high-risk processing activities”. The threshold that triggers this requirement under the new law, as well as the required content of the DPIA, is similar to the requirements under the GDPR but is not identical.
Organisations will need to create (or review and update) a DPIA template and procedure to ensure DPIAs are conducted where necessary, and consult with the DIFC Data Protection Commissioner where required by the new law.
4. Breach notification obligations
Similar to the GDPR, the DIFC Law requires Controllers to notify the Commissioner about Personal Data breaches, although the threshold under the New DIFC Law for when a notification is required is not identical to the GDPR requirement. Besides, the DIFC Law only requires notification to the Commissioner “as soon as practicable in the circumstances”, and does not impose a 72-hour time limit as is the case under the GDPR. Notably, there is also a requirement to notify breaches to data subjects in certain circumstances.
5. Record of processing
Similar to the requirement under Article of 30 of the GDPR, organisations will need to understand what Personal Data they hold, why they are using it, as well as other key information required to be documented within a record of processing. This is likely to be one of the most time-consuming tasks for organisations to complete and it should be prioritised. Organisations are required to review and maintain this record of processing on an ongoing basis.
6. Fair processing notices
Controllers are required to provide data subjects with fair processing notices. Although the content of such notices will be similar to those required to be provided under the GDPR, they will need to be tailored for compliance with the DIFC Law, in particular, to reflect one of the revised legal bases for processing. We note however that the legal bases set out in the new law offer an additional degree of flexibility when compared with those included in the GDPR.
If a Controller intends to process Personal Data in a way which will restrict or prevent the data subject from exercising their rights to rectification, erasure or objection to processing, the Controller is required to provide a clear and explicit explanation of the anticipated impact to the data subject and must be satisfied that the data subject understands the extent of such restrictions. This is a key difference compared to the GDPR.
7. Data subject rights
Data subjects have similar rights under the New DIFC Law to those set out in the GDPR, including the right to withdraw consent, access their data or seek rectification or erasure of their data (amongst various others). However, organisations have additional flexibility compared to the GDPR about certain data subject rights such as the right to object to processing, automated individual decision making and data rectification or erasure. Importantly, under the new law, a Controller is prohibited from discriminating against a data subject for exercising their statutory rights.
Organisations will need to ensure that they have a policy and procedure in place to respond to and appropriately handle data subject requests within the periods stipulated. If organisations wish to leverage existing GDPR data subject rights policies, these will need to be reviewed and updated to reflect the nuances and differences between the GDPR and new law.
8. Legal basis for processing
Organisations processing Personal Data will need to ensure they have a valid legal basis under the new law for each processing operation they conduct, including for special categories of personal data. This assessment should be documented to demonstrate compliance with the new law.
The legal bases for processing under the new DIFC Law are similar in many respects to those available under the GDPR, although the DIFC Law provides additional flexibility, in particular concerning the legal basis for processing special categories of Personal Data.
Importantly, the standard for consent under the DIFC Law has been revised so that it reflects certain aspects of the GDPR; namely, it must be freely given and demonstrated by a clear affirmative act that shows an unambiguous indication of consent. Accordingly, if an organisation is relying on consent to conduct processing under the 2007 Law the consent will need to be refreshed to satisfy the new standard for validity.
9. Contracts with processors
As with the GDPR, Controllers are required under the DIFC Law to ensure certain mandatory obligations are included in agreements with Processors processing Personal Data on their behalf. This marks a significant change to the 2007 Law.
Although the list of mandatory terms is very similar to the GDPR, the audit rights required to be included in the agreement must extend to allowing the Commissioner to audit/inspect the Processor. Importantly, under the new DIFC Law, both the Controller and the Processor will be in breach of the law if they commence mutually agreed processing without having such a written contract in place.
Organisations should review and update existing contracts, as well as ensuring any new contracts include appropriate data processing terms. From our experience gained preparing for the GDPR coming into force, this contract remediation exercise can take a significant amount of time and must be commenced without delay.
10. International data transfer restrictions
The new DIFC Law contains similar international data transfer restrictions to the GDPR, which will apply in respect of all transfers of Personal Data outside of the DIFC including to the UAE.
Under the new law, organisations will no longer have the option to apply to the Commissioner for permission to make cross-border data transfers, and such transfers will only be permitted where there is an adequate level of protection in place to protect the Personal Data, or where one of the derogations set out in the DIFC Law applies (for example, explicit consent or performance of a contract) and appropriate safeguards are in place.
Organisations will need to map their data flows to understand where Personal Data is being transferred to, whether inside or outside of their corporate group and ensure that adequate safeguards are put in place, including where necessary standard contractual clauses.
11. Joint controllers
Similar to the GDPR, where Controllers jointly determine the means and purposes of the processing, they will be deemed to be “Joint Controllers”. Under the new DIFC Law, there must be a legally binding written agreement (not an “arrangement” as is the case under the GDPR), which sets out their respective responsibilities, including the process for how data subject rights can be exercised and who is responsible for delivering fair processing notices to data subjects.
The written agreement (or a summary of it) must also be made available to data subjects.
12. Default privacy preferences
If a Controller offers online services via a platform, the new DIFC Law requires that the default privacy preferences on the platform are set to ensure that no more than the minimum amount of Personal Data is collected, which is necessary to deliver or receive the service.
13. Notification of processing operations
As was the case under the 2007 Law, Controllers and Processors are required to register with the Commissioner by filing a notification of processing operations. This notification must be kept up to date on an ongoing basis.
This notification and fee payment obligation applies to both Controllers and Processors, and it will be necessary to ensure these are made to the Commissioner and maintained on an ongoing basis.