Knowledge safety reform is sweeping the United Arab Emirates. Two new legal guidelines got here into pressure not too long ago within the monetary districts of Dubai and Abu Dhabi.

Ibrahim Hasan

The Dubai Worldwide Monetary Centre (DIFC) Knowledge Safety Legislation No. 5 of 2020 (DPL 2020) regulates the gathering, dealing with, disclosure and use of private knowledge, and consists of enhanced governance and transparency obligations. It replaces the earlier knowledge safety regulation within the type of DIFC Legislation No. 1 of 2007. DPL 2020 is carefully aligned with the EU Normal Knowledge Safety Regulation (GDPR) and its not too long ago born cousin, the UK GDPR.

DPL 2020 primarily applies to companies working within the Dubai Worldwide Monetary Centre (DIFC). That is the main monetary hub within the Center East, Africa and south-Asia area. The 110-acre DIFC district hosts 2,400 companies using over 25,000 professionals within the authorized, monetary, administration and regulatory sectors.

If a enterprise is registered within the DIFC or processes private knowledge inside the DIFC as a part of steady preparations (that’s, an information controller), it’s coated by the brand new regulation, in addition to any enterprise which processes private knowledge on behalf of both of the above (that’s, an information processor). As to the substance of the brand new regulation, those that find out about GDPR will discover all of the acquainted ideas in DPL 2020. These embody knowledge safety ideas and knowledge topics’ rights, in addition to transparency and governance obligations all carefully modelled on GDPR. Notable provisions embody:

  • Privateness notices: extra data is now required to be given to knowledge topics on the level at which their knowledge is collected, together with the authorized foundation for processing and their rights.
  • Knowledge safety affect assessments: these should be undertaken in relation to any new ‘excessive danger processing actions’. It will contain assessing the affect of the proposed knowledge processing operation on the dangers to the rights of knowledge topics.
  • Breach notification: knowledge controllers should notify the regulator in the event that they endure a private knowledge breach which compromises knowledge topics’ confidentiality, safety or privateness. Within the case of excessive danger, the info topics should additionally learn.
  • Knowledge processors: the brand new regulation imposes direct compliance obligations on knowledge processors, and a requirement to have written contracts between controllers and processors setting out the latter’s obligations.
  • Worldwide transfers: like GDPR, these can happen the place there may be an sufficient degree of safety for the non-public knowledge within the receiving nation as assessed by the regulator. Within the absence of such safety, the controller or processor should put in place applicable safeguards which might embody commonplace contractual clauses.

DPL 2020 requires each controllers and processors, who carry out high-risk processing actions, to nominate an information safety officer. The DPO have to be concerned in all knowledge safety points and monitor compliance. It’s a protected job so the DPO can’t be dismissed or penalised for performing it.

DPL 2020 is enforced by a regulator, the Commissioner of Knowledge Safety, who has the facility (amongst different sanctions) to difficulty administrative fines for breaches. The utmost high quality is $100,000. The DIFC courts might also require a enterprise to pay compensation on to knowledge topics. As well as, aggrieved knowledge topics can deliver an motion for compensation which isn’t topic to a cap. The commissioner can even do that on behalf of knowledge topics who’ve suffered materials hurt and who’re deprived of their capability to deliver their very own declare.

Abu Dhabi

On February 14 2021, the Abu Dhabi World Market (ADGM) enacted its new Knowledge Safety Rules 2021, changing the Knowledge Safety Rules 2015. These too are carefully modelled on the GDPR with broadly the identical provisions as mentioned above.

The brand new laws will come into pressure following a transition interval of 12 months for present companies (that’s, these established in ADGM earlier than February 14 2021) and 6 months for brand spanking new companies (that’s, these established in ADGM on or following 14 February 2021). They introduce an impartial Workplace of Knowledge Safety headed by a Commissioner of Knowledge Safety charged with selling and implementing knowledge safety inside ADGM, sustaining a register of knowledge controllers and upholding the rights of people.

What subsequent?

Knowledge controllers and processors have to act now to make sure compliance with the brand new legal guidelines. Failure to take action won’t simply result in enforcement motion but in addition reputational harm.

The next must be a part of an motion plan for compliance:

  1. Elevating consciousness in regards to the new legal guidelines in any respect ranges from senior administration all the way down to frontline employees.
  2. Finishing up a private knowledge audit and reviewing how information administration and knowledge danger is addressed inside the organisation.
  3. Reviewing data safety insurance policies and procedures within the gentle of the brand new, extra stringent, safety obligations significantly  breach notification.
  4. Revising  privateness insurance policies  within the gentle of the extra prescriptive transparency necessities.
  5. Writing insurance policies and procedures to cope with new and improved Knowledge Topic rights.
  6. Appointing and coaching a DPO. 


Ibrahim Hasan is a solicitor and director of Act Now Coaching (