September 29, 2020

New DIFC Data Protection Law

What are the key enhancements and implications of the DPL?

The key changes combine the best practices of GDPR and the California Consumer Privacy Act, the two latest world-class data regulations. Governance and transparency are the watchwords of the new regulation that gives international recognition to the DIFC.

This principle of transparency introduces new actors: Controllers and Processors will have to be able to demonstrate compliance with DPL 2020. Some companies will also need a data protection officer (DPO) if they are considered as “high risk processing” (e.g. large-scale processing of sensitive personal data, or processing using Blockchain, A.I., machine learning or other emerging technologies), failure to do so may result in a fine of up to $50,000.

What can a DPO help with?

A data protection officer (DPO) is the leadership role required by the DPL, responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with DP Law and other applicable privacy laws requirements. Generally, the DP Law requires the DPO to be resident in the UAE.

The DPO must:

  • be independent and act in a way that does not raise any conflict of interest
  • be the point of contact between data protection authorities and individuals
  • provide best practices support on policies and procedures
  • inform and provide advice to organisations and its employees on data protection 

For companies that are preparing for the changes, it’s important to distinguish the aspects of the regulation that really need to be managed – and the ones that may be due to misunderstandings and myths.   

Here are 5 points of the regulation that organisations must ensure they get right.

Data Protection Principles: 
The DPL is all about giving consumers more control over their data while increasing the accountability of organisations using transparency process. 
Raise awareness with the employees with a clear communication and training on how data should be processed.

Breach reporting:
The DPL makes it mandatory to the companies’ newly created controllers to report a personal data breach not only to the DIFC commissioner of data protection but also to the subject if it’s likely to result in a risk to people’s rights and freedoms.
Make sure to define the roles and responsibilities and have a clear data breach notification procedure.

Rights of Individuals: The new legislation gives the customers more visibility and governance on their personal data with the complete respect of the following rights: right to withdraw consent, right to access, right to data portability right to object to automated decision making, including profiling and the right not to be discriminated.
Make sure to review your data collection and management process and include this step prior to any project (privacy by design).

Transfer of personal data outside the DIFC: With the DPL, companies are still allowed to transfer data cross the territory if the destination country’s data security level in place is aligned to the word class data regulations. 
Audit your partnerships, review all commercial agreements and employee’s contracts and how this data is processed.

Information destruction: With the DPL’s ‘right to be forgotten’, organisations should not be keeping personal information for any longer than necessary and they must delete or remove the information at the owner’s request.
Put processes in place to collect and keep only the confidential information that is needed for operations and compliance.

We can help protect your information and your business

To learn more about how Shred-it can protect your documents and hard drives and support you in your compliance journey please contact us to get a free quote and data security survey audit.