December 10, 2020
Though the DIFC Data Protection Law (DPL) went into effect in October 2020, there are still a lot of organisations that need to improve different processes in order to comply. Due to the COVID-19 pandemic the DIFC Authority announced a grace period of three months in order to comply to the Data Protection Law.
The DPL impacts any company or individual anywhere in the word that collects and processes personal information of DIFC companies.
In addition to any business registered in the DIFC, the 2020 Law applies to:
Any business which processes personal data within the DIFC as part of stable arrangements
Any business which processes data on behalf of either or of the above
Following on from the Veritas Middle East Databerg Report launched last year, the new findings revealed that 75% of the data stored by the surveyed organisations in the UAE is dark and ROT, 33% being dark and 42% being ROT. Although a significant drop from last year’s 88%, ROT data still increased by 1%, rising to 42% of an organisation’s stored data.
The Commissioner has the ability to issue administrative fines to parties who violate the law or fail to comply with a direction issued by the Commissioner. Both Controllers and Processors may be subject to fines of up to USD 100,000 and may be found liable by the DIFC Courts to pay compensation directly to data subjects (in addition to the fine from the Commissioner).
Up-to-date information security policy. Authorities have the right to ask to review privacy policies and procedures. They should include comprehensive document management processes that show different categories of data as well as a retention and secure destruction schedule.
Staff training. Employees in all departments should be receiving on-going training about DPL.
Consent process for personal information. Organizations must be able to show documented permission to gather personal information including the source of the consent. ‘Opt in’ permissions must be clear because failure to opt out will not be sufficient. It must also be as easy to withdraw consent as it is to give.
Access. A big part of DPL provides consumers easier access to data collected about them. The data management system should be able to quickly identity and document this information.
Information destruction. The ‘right to be forgotten’ means organizations can’t keep personal information for any longer than necessary and must delete or remove the information if the owner requests it. Partner with a document destruction company for secure physical and digital document destruction. After every shred service, the company should issue a Certificate of Destruction, which can be used to prove compliance.
Cross-border transfers. The 2020 law allows for the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, such as personal data can be transferred outside of the DIFC without permission from the Commissioner if a country falls under the ‘adequate jurisdiction’ list.
Breach notification. Controllers will have to notify the DIFC Commissioner of Data Protection (Commissioner) if a data breach compromises any data subject's confidentiality, security or privacy. If the risk to the data subject is high, the data subject must also be informed. In summary, data protection should be fundamental to all operations and business processes. Implement a Clean Desk Policy so all information is separate and locked away securely when employees are away from their desks. Introduce a Shred-it All Policy so all documents are securely destroyed when no longer needed.