By Eimhéar O’Kane, Associate
As of Thursday 1st October 2020, all entities to whom DIFC Law No.5/2020 on Data Protection (the “DP Law”) applies, must ensure they are compliant with the changes introduced therein & be able to demonstrate this compliance.
The DP Law applies to “the processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not”. It is important to note that the DP Law also applies to “a Controller or Processor, regardless of its place of incorporation [emphasis added], that Processes Personal Data in the DIFC as part of stable arrangements”.
The DP Law (and its supporting regulations) update the DIFC’s previous data protection law and demonstrates a move towards implementation of more internationally recognised standards.
Similar to the EU General Data Protection Regulations, the DP Law is based on the principles of fairness & transparency, legitimate & lawful processing, accountability, accuracy, integrity and confidentiality.
The DP Law sets out detailed regulations in relation to a wide range of matters, including (but not limited to):
· Registration of data controllers;
· Rights of data subjects;
· Transfer of data outside of DIFC; and
· Duty to report data breaches.
Companies who process personal data in the DIFC must notify the appointed commissioner of this. The commissioner shall maintain a register of data processors & controllers for the purposes of supervision & regulation.
For ease of reference, “Processing” of Personal Data includes (but is not limited to) collection, recording, organisation, structuring, storage, consultation, use, disclosure, transfer, or destruction of data for a commercial purpose.
Data subjects are granted comprehensive rights under DP Law, these include right of access to their date, right to be forgotten (i.e. the erasing of their data), the right to object to the processing of their personal data and the right to withdraw consent. As part of steps to compliance, companies will need to ensure sufficient policies are implemented to raise awareness of these rights and to ensure they are adequately protected.
Similarly, companies (and the individuals employed therein) should be fully aware of their obligations to report a data breach and the conditions for doing so, including doing so “as soon as reasonably practicable”. Comprehensive guidance has been published by DIFC to assist with better understandings of this.
Sanctions for non-compliance with the DP Law can be substantial, with maximum fines ranging from US$ 20,000 to US$ 100,000 depending on the breach. In addition to this, compensation may be awarded to a data subject when damage has occurred because of a breach.
As an immediate step, entities should establish whether the law applies to them and carry out an investigation into what data they collect, how they collect it and decide what steps they need to take to comply with the DP Law as a matter of urgency.