The UAE has undertaken a review of their data protection laws and new rules have been introduced to better align with global standards. But what does it mean for businesses operating in the region and how can they ensure they are compliant?
Data protection standards across the UAE bolstered for 2022
In 2018, the toughest privacy and security law in the world was introduced in Europe, the General Data Protection Regulation (GDPR). The GDPR legislation not only protects the processing of European Citizens' data (regardless of where in the world the processing is taking place), it also protects the data of European citizens from being exported, unless a similar standard of rules exists in the receiving jurisdiction. Since then, it has become a priority for jurisdictions with less stringent rules to make changes to their legislation, in order to be seen to be compliant and more attractive for investment.
As a result of this, data protection standards across the UAE
have become a focal point for improvement. Areas such as the Free
Zones of DIFC and the ADGM have enacted their own data protection
standards, the DIFC DP Law of 2020 and the ADGM DP Regulations
Outside of the Free Zones, the recently enacted Federal Decree Law Number 45 of 2021 (2 January 2022) introduces a 'gold standard' data protection law – the Federal Personal Data Protection Law ('PDPL').
What are the benefits?
The more stringent rules on the protection of data will also improve a company's ability to provide transparency and thus better enable them to comply with international standards. For global companies looking to do business in the region, this is likely to increase its attractiveness and make the UAE more favourable to investment.
Additionally, having a robust data protection policy promotes a respect for an individual's privacy and the processing of their data, often raising the trust that individuals have in an organisation.
In recent years, advances in technology and an increase in the use of cloud platforms have resulted in a rise in cyberattacks, and security breaches are a daily occurrence. Compliance with strict data protection rules has often resulted in organisations making improvements to their own policies on cyber security at the same time. A report by RSM in August 2020 stated that 82% of companies surveyed advised that the changes in their approach to cyber security were a result of the introduction of the GDPR.
Some key factors stipulated in the PDPL
The key basis of PDPL is the lawful validity of processing personal data. Organisations must obtain consent from the data subject to lawfully process their personal data.
Records of data processing must be kept and should include the duration, limitation and scope of the processing; the mechanism for personal data erasure or modification; the purpose of the processing; information related to cross-border transfer; and a description of the technical and organisational procedures relating to data security. These records should be available for the Data Office whenever it requests to see it.
As per Article 21 of PDPL, when there is a high risk to the confidentiality and privacy of the data subject's personal information, each organisation must perform a Data Protection Impact Assessment (DPIA) under prescribed conditions. In these circumstances, a Data Protection Officer must be appointed to oversee the organisation's compliance with the law.
The law also stipulates that it is mandatory to report any data breaches within an organisation to the Data Office, the newly established regulatory authority for data protection compliance.
Who does it apply to and when do the rules come into play?
The Federal Personal Data Protection Law will apply to any organisation which is incorporated in the UAE as well as any organisations outside of the UAE which process personal data on data subjects located in the UAE. Organisations will be required to comply, with a proposed transition period of six months from the release of the Executive Regulations. While the expected date of the Executive Regulations was the end of Q1 2022, they are currently delayed.
An organisation's non-compliance to the PDPL will likely have strict consequences. As we know from GDPR, breaches of the regulation can result in a €20 million fine, or up to 4% of global annual turnover. We expect to see similar punishments under PDPL, but will receive more details when the executive regulations are published.
Talk to us
TMF UAE can help to manage all of your compliance obligations in the Emirates – from recommending the most appropriate type of entity and jurisdictions for your set up to ongoing management accounting, corporate governance and even your payroll.
From establishment to business as usual, and right through to wind-down, TMF Group's UAE office can help you at any stage of your company's life cycle. Our teams provide local knowledge combined with global reach, helping you to do business seamlessly across borders.
Contact our experts today to find out how we can help you grow your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.