Data Protection Officer (“DPO”) solutions for your firm
In the ever-evolving landscape of data protection and privacy, firms face increasing challenges in safeguarding personal data. While not all firms are legally mandated to appoint a DPO, the voluntary decision to appoint can yield numerous benefits and reinforce a commitment to responsible data management.
Is the firm required by law to appoint a DPO?
Dubai International Financial Centre (“DIFC”) Data Protection Law No.5 of 2020 (“DPL”)
The DIFC requires for a DPO to be appointed where firms are performing High-Risk Processing Activities (as per the DIFC DPL definition) on a systematic or regular basis. The DIFC has published guidance on High Risk Processing Activities and DPO Appointments. The DIFC has also created helpful tools to assist firms with their decision-making. Some of these tools include the High Risk Processing Assessment Tool and the DPO Assessment Tool.
Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“DPR”)
The ADGM requires for a DPO to be appointed for firms whose core activities involve regular and systematic processing of personal data on a large scale, or if the firm is processing special categories of personal data on a large scale. The ADGM has produced useful guidance, for DPO appointments see section 5 of part 3 of the guidance. To support you in making the decision, the ADGM has produced a DPO Requirement Assessment Tool.
UAE Federal Decree-Law no.45 of 2021 on the Protection of Personal Data (“PDPL”)
The UAE PDPL specifies that firms must appoint a DPO where they are involved in processing which is likely to result in a high risk to the privacy and confidentiality of personal data because of the adoption of new technologies or due to the volume of Data. A DPO must also be appointed for firms where the processing involves a systematic and comprehensive evaluation of sensitive personal data, including profiling and automated processing, or where the processing involves a large scale of sensitive personal data. Further guidance may be released in due course, along with the implementing Regulations.
Who can perform the DPO role?
Controllers and processors may choose to appoint someone internally within their firm or externally as an outsourced function, the appointed DPO can also be outside of the jurisdiction. Unlike the ADGM DPR and UAE PDPL, the DIFC DPL requires an outsourced DPO to reside in the UAE.
Whichever option you choose, the appointed DPO must be suitably knowledgeable of the relevant Law and Regulations and easily accessible, to be able to perform the role. The individual appointed should not perform another role that conflicts or is likely to conflict with their obligations as the DPO.
You must ensure that whoever you choose meets the competencies required by the supervisory authority and can undertake the role and tasks effectively..
How does the firm benefit from appointing a DPO?
The core responsibilities of a DPO are multifaceted. They act as a central point of contact for data subjects seeking information or exercising their rights, such as the right to access or erasure of personal data. Additionally, DPOs play a crucial role in raising awareness about data protection within the organisation. This involves conducting staff training, developing internal policies and procedures, and ensuring data processing activities comply with the Law and Regulations.
Furthermore, DPOs are responsible for monitoring compliance with the DPL, conducting data protection impact assessments (DPIAs) for high-risk processing activities, and cooperating with the supervisory authority during investigations. They also play a vital role in incident response, ensuring the organisation addresses data breaches and other security incidents effectively.
These officers act as data guardians, ensuring organisations operate with transparency and accountability when handling personal information.
Let’s not overlook the fact that being able to communicate the presence of a DPO can set your organisation apart from competitors, especially in industries such as the one we are in, where privacy is a significant concern for consumers. There is also the reputational element which is of importance to well-regarded firms.
Can the firm appoint a DPO voluntarily?
If you have determined that you are not required to appoint a DPO, you can still choose to appoint a DPO voluntarily to evidence good governance and to ensure you have expert resources to monitor and ensure compliance with the law.
If you choose not to appoint a DPO you will need to appoint an individual internally to act as the point of contact for the data protection Commissioner and ensure compliance with the law.
It is important to know that enforcement action can be taken if you fail to appoint a DPO where required by Law, for example in the DIFC you can expect to be fined up to $50,000 for such a breach. The fines in the ADGM are undetermined, however, they cannot exceed $28,000,000.
Why choose an outsourced DPO from Waystone Compliance Solutions?
Our team of experienced DPOs offers specialist regional expertise, ensuring you stay compliant with the latest data protection regulations. We have support clients in the ADGM, DIFC, and the UAE onshore with their data protection requirements, including implementing complex, multi-jurisdictional data protection frameworks, advising on cross-border transfers, incorporating data protection principles, and drafting suitable documentation per the relevant data protection regulations and laws.
We understand that for some firms an internal DPO may be the preferred choice, we offer a range of options to empower your team, including educating and training your in-house Data Protection Officer on the regulatory requirements or providing them with ongoing specialist support.
If you have any questions or would like to sign-up to receive our communications, please contact Kate Brookstein, Head of Data Protection UAE directly or reach us via the below.