The long-awaited revamp of the data protection regime has finally arrived in the DIFC. As one of the first jurisdictions in the Middle East to draft a stand-alone data protection law, the DIFC has always stood on the forefront of ensuring that the best standards of privacy and data protection would be a key building block of the financial center.
DIFC Law No. 5 of 2020 will come into force at the beginning of July offering entities in the center a 3-month moratorium to comply with the new legislation. As has been expected, the New Data Protection Law has utilized the now recognized standard of the GDPR to underpin the changes to the DIFC data protection regime.
Key Factors of the New Data Protection Law
The New Data Protection Law offers many familiar features in its protection mechanisms including the following:
- Appointment of a Data Protection Officer ("DPO"): while recommended for all DIFC entities, only those undertaking high-risk processing activities, as defined in the New Data Protection Law, will be obligated to appoint a DPO.
- Clear and affirmative consent must be provided before data can be processed: individuals whose data is processed must also be informed of their right to withdraw consent and how to do so.
- Upgraded rights for individuals whose personal data is collected: following the "right to be forgotten" feature of the GDPR, the New Data Protection Law provides clear rights to individuals including provisions addressing discrimination and how individuals can effectively exercise these new rights.
- Written record of data that is processed: the processing of any data by a DIFC entity must now be recorded in writing up to a minimum standard set out in the New Data Protection Law.
- Framework for data breaches: entities in the DIFC now have an updated regime to follow in the event of a data breach.
- Data sharing and data export: enhancing the previous regime, the New Data Protection Law allows for a mechanism to determine whether a transfer to a particular jurisdiction will meet the "adequate level of protection" test.
What action should I take?
If you own or operate a DIFC entity you will need to carefully consider the type and volume of personal data that you currently process in order to determine your level of compliance with the New Data Protection Law. You will also need to amend certain provisions of your standard agreements to consider the new standard of data privacy.
We expect the DIFC to provide further updates within the next months including with regards to the appointment of the role of Commissioner who will hold several critical decision-making roles under the New Data Protection Law
The full text of the new law can be accessed here (hyperlink: https://www.difc.ae/files/6215/9056/5113/Data_Protection_Law_DIFC_Law_No._5_of_2020.pdf).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.