Update – New Data Protection Law, DIFC Law No.5 of 2020

Mohammed Al DahbashiManaging Partner, ADG Legal

The new Data Protection Law, DIFC Law No.5 of 2020 (“DP Law”), came into force on 1 July 2020, replacing the Data Protection Law, DIFC Law No.1 of 2007. 

The DP Law will bring the DIFC closer in line with international models which have been adopted in Europe and the US, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. It also aims to strengthen the DIFC’s reputation for data protection, which may pave the way for future recognition by foreign states as an ‘adequate’ jurisdiction. 

The DP Law is also accompanied by a new Data Protection Regulation which set outs procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and a list of ‘adequate’ jurisdictions for cross-border transfers of personal data. 

The DP Law will begin to be enforced from 1 October 2020, providing several months for businesses subject to the law to review and amend their existing data protection polices, processes and contracts, in order to be compliant from the outset. 

Key Changes 

Below we take a look at some of the key changes brought in by the DP Law. 

Application:

  • Whereas the old law only applied to businesses registered in the DIFC, the new DP Law also applies to any business which processes data within the DIFC as part of stable arrangements and those which process data on behalf of either of the two. 

Higher penalties for non-compliance:

  • Failure to notify the commissioner of an unauthorised data intrusion – an increase from $5,000 to $50,000;
  • Failure to implement and maintain technical and organisational measures to protect personal data – an increase from $10,000 to $50,000;
  • Failure to maintain records of processing – an increase from $5,000 to $25,000. 

Wider range of offences (with fines up to $100,000) including:

  • Failure to comply with data subject rights of access, rectification and erasure of personal data;
  • Failure to comply with new requirements relating to data portability; and
  • Failure to comply with the new right of a data subject to object to any decision based solely on automated processing, including profiling, which produces legal or other seriously impactful consequences. 

Higher governance standards have been imposed, including the maintenance of a record of processing activities, as Controllers and Processors are required to demonstrate compliance with the DP Law. 

Data Protection Officers (DPO): DIFC bodies and companies conducting High Risk Processing Activities will need to appoint a DPO. The definition of High Risk Processing Activities includes:

  • Adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights;
  • Processing a large amount of personal data (including staff and contractor data) where such processing is likely to result in a high risk to the data subject;
  • Systematic and extensive automated processing, including profiling, with significant effects; and
  • Processing of special categories of personal data (i.e. sensitive data) on a large scale.

Data Protection Impact Assessments: controllers will be required to conduct data protection impact assessments before undertaking any new High Risk Processing Activity. 

Data Protection Principles: there is a requirement to process personal data in a transparent manner and in accordance with the application of data subject rights. Currently, there is no guidance on the meaning of “transparent manner”. However, under the old law, personal data had to be processed fairly, lawfully and securely. 

Rights of Individuals as ‘data subjects’ have been strengthened, as there are now the following additional rights: 

  • to withdraw consent at any time. An absolute right available to a data subject if the basis for the processing of the personal data is consent; 
  • to access information on their personal data. There is a timeframe of one month to respond to data subject access requests at no charge. Complex requests can be extended by a maximum of two further months
  • to data portability, where processing of personal data is based on consent, the performance of a contract, or is carried out by automated means. The data subject has the right to receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use; 
  • to object to automated decision making, including profiling, and the right not to be subject to decisions based solely on automated processing which significantly affects them; 
  • to non-discrimination. If an individual exercises any of their rights under the DP Law, controllers may not deny any goods or services; charge different prices or rates, including through the use of discounts or other benefits or imposing penalties; or provide a lesser quality of goods or level of services

Cross-border transfers: the new law mirrors the GDPR. Personal data can be transferred outside of the DIFC without permission from the Commissioner if a country falls under the ‘adequate jurisdiction’ list. Otherwise, it is permitted to transfer the data, so long as appropriate safeguards are in place (e.g. by adopting standard data protection clauses approved by the Commissioner, by legally binding instruments between public authorities, and through (approved) binding corporate rules within the same group of companies).

How to prepare your business for compliance 

Businesses covered by the new law will need to conduct a review of their current data protection policies and procedures. This should focus on, at least: 

  • Mapping the type of data the business is and expects to be processing;
  • Reviewing whether the data being collected is for a legitimate reason;
  • Confirming whether a Data Protection Officer is needed and make such an appointment;
  • Ensuring any outsourcing of processing is subject to contractual obligations to comply with the DP Law, in the form set out in the DP Law;
  • Establishing a procedure for notifications to the Commissioner and responses to data subjects, in accordance with the new time limitations;
  • Conducting employee training on the new requirements.

Should you require any assistance in adapting to the DP Law, please contact Josh Kemp at [email protected].


Links