The DIFC has recently enacted a new Data Protection Law (DIFC Law No. 5 of 2020) (“New DP Law”), which came into force from 1st July 2020, replacing the Data Protection Law, DIFC Law No.1 of 2007.

The purpose of this law is to provide enhanced standards and controls for the processing and free movement of personal data by controllers or processors and to protect the fundamental rights of data subjects. This includes how such rights apply to the protection of personal data in emerging technologies.

The DP Law is also accompanied by a new Data Protection Regulation which set outs procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and a list of ‘adequate’ jurisdictions for cross-border transfers of personal data. 

Key Changes 

 Below we take a look at some of the key changes brought in by the DP Law. 

Key featuresDIFC Data Protection Law 2007DIFC Data Protection Law 2020
ScopeAny business registered in the DIFC The new DP Law, In addition to any business registered in the DIFC, also applies to any business which processes data within the DIFC as part of stable arrangements and those which process data on behalf of either of the two. 

Appointing a Data Protection Officer
Not required DIFC bodies and companies conducting High Risk Processing Activities will need to appoint a DPO. The definition of High Risk Processing Activities includes:
· Adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights;
· Processing a large amount of personal data (including staff and contractor data) where such processing is likely to result in a high risk to the data subject;
· Systematic and extensive automated processing, including profiling, with significant effects; and
· Processing of special categories of personal data (i.e. sensitive data) on a large scale.
Principles of data protection · As per the 2007 Law, personal data should be:
· — Processed fairly and lawfully;
· — Processed securely; 
· — Collected for a specific purpose and adequate, relevant and not excessive for that purpose
· — Accurate; and
— Not retained for longer than is necessary for the purposes for which they were collected (storage limitation)
· The new law adds the accountability principle, and adds that personal data must be – 
· — In a transparent manner and — In accordance with the application of data subject rights.
Currently, there is no guidance on the meaning of “transparent manner”. However, under the old law, personal data had to be processed fairly, lawfully and securely. 

Data Processor Obligations
No obligation on ProcessorsThe new law adds the following Obligations on Data Processors.  any breach of the obligations may result in the Data Processors facing fines or judicial remedies for data subjects.
· — Binding written agreements between Controllers and Processors are now required, with prescribed term
· — Processors may not appoint sub processors without the written authorization of the Controller
· — Processors (and any sub-processors) must only act on the Controller’s documented instructions

Rights of Individuals as ‘data subjects have been strengthened, as there are now the following additional rights: 

  • to withdraw consent at any time. An absolute right available to a data subject if the basis for the processing of the personal data is consent; 
  • to access information on their personal data. There is a timeframe of one month to respond to data subject access requests at no charge. Complex requests can be extended by a maximum of two further months; 
  • to data portability, where processing of personal data is based on consent, the performance of a contract, or is carried out by automated means. The data subject has the right to receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use; 
  • to object to automated decision making, including profiling, and the right not to be subject to decisions based solely on automated processing which significantly affects them; 
  • to non-discrimination. If an individual exercises any of their rights under the DP Law, controllers may not deny any goods or services; charge different prices or rates, including through the use of discounts or other benefits or imposing penalties; or provide a lesser quality of goods or level of services

Cross-border transfers:

The 2020 law allows for the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, such as                                                                           

— A legal binding instrument between public authorities                                                                     

— Binding corporate rules                                                                                                                               

— Standard data protection clauses as adopted by the Commissioner.

Higher penalties for non-compliance:

The commissioner has the power to issue fines for contraventions of the DP Law which may be enforced through the courts if businesses fail to pay. In addition, a data subject may apply to the court for compensation if they suffer damage as a result of a breach of the DP Law.

The maximum fines that can be imposed has increased under the new DP Law.

For example, failure to:

  • notify the commissioner of an unauthorised data intrusion has increased from $5,000 to $50,000;
  • implement and maintain technical and organisational measures to protect personal data has increased from $10,000 to $50,000; and
  • maintain records of processing has increased from $5,000 to $25,000;

In addition, the new DP Law expands the range of offences for which fines can be issued. Fines of up to $100,000 can be imposed for failure to comply with the following:

  • data subject rights of access, rectification and erasure of personal data;
  • new requirements relating to data portability; and
  • the new right of a data subject to object to any decision based solely on automated processing, including profiling, which produces legal or other seriously impactful consequences.

Higher governance standards have been imposed, including the maintenance of a record of processing activities, as Controllers and Processors are required to demonstrate compliance with the DP Law. The commissioner has the power to inspect and audit businesses subject to the DP Law to verify compliance.

How can we help?

Businesses covered by the new law will need to conduct a review of their current data protection policies and procedures. We can help you assess the impact of the new DP Law on your business with services such as:

  1. Conduct a privacy impact assessment, prior to undertaking a High Risk Processing Activity
  2. Review and update existing Policies, Procedures and Contracts in line with the new DP Law
  3. Confirming whether a Data Protection Officer is needed and make such an appointment
  4. Conduct an audit of its Processing activities
  5. Cyber-security Risk assessment
  6. Ensure that it has the right procedures in place to (i) support Data Subjects’ rights; and (ii) detect, report, and investigate a Personal Data Breach within the prescribed timelines
  7. Conducting employee training on the new requirements.