September 29, 2020
The key changes combine the best practices of GDPR and the California Consumer Privacy Act, the two latest world-class data regulations. Governance and transparency are the watchwords of the new regulation that gives international recognition to the DIFC.
This principle of transparency introduces new actors: Controllers and Processors will have to be able to demonstrate compliance with DPL 2020. Some companies will also need a data protection officer (DPO) if they are considered as “high risk processing” (e.g. large-scale processing of sensitive personal data, or processing using Blockchain, A.I., machine learning or other emerging technologies), failure to do so may result in a fine of up to $50,000.
A data protection officer (DPO) is the leadership role required by the DPL, responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with DP Law and other applicable privacy laws requirements. Generally, the DP Law requires the DPO to be resident in the UAE.
The DPO must:
For companies that are preparing for the changes, it’s important to distinguish the aspects of the regulation that really need to be managed – and the ones that may be due to misunderstandings and myths.
Data Protection Principles:
The DPL is all about giving consumers more control over their data while increasing the accountability of organisations using transparency process.
Raise awareness with the employees with a clear communication and training on how data should be processed.
The DPL makes it mandatory to the companies’ newly created controllers to report a personal data breach not only to the DIFC commissioner of data protection but also to the subject if it’s likely to result in a risk to people’s rights and freedoms.
Make sure to define the roles and responsibilities and have a clear data breach notification procedure.
Rights of Individuals: The new legislation gives the customers more visibility and governance on their personal data with the complete respect of the following rights: right to withdraw consent, right to access, right to data portability right to object to automated decision making, including profiling and the right not to be discriminated.
Make sure to review your data collection and management process and include this step prior to any project (privacy by design).
Transfer of personal data outside the DIFC: With the DPL, companies are still allowed to transfer data cross the territory if the destination country’s data security level in place is aligned to the word class data regulations.
Audit your partnerships, review all commercial agreements and employee’s contracts and how this data is processed.
Information destruction: With the DPL’s ‘right to be forgotten’, organisations should not be keeping personal information for any longer than necessary and they must delete or remove the information at the owner’s request.
Put processes in place to collect and keep only the confidential information that is needed for operations and compliance.