Data Protection Officer (“DPO”) solutions for your firm

      Many firms in the United Arab Emirates (“UAE”) are still considering whether a Data Protection Officer (“DPO”) appointment is necessary. While there are variations in local data protection laws and regulations regarding the necessity for a DPO, it is universally recognised that appointing one, whether out of obligation or choice, can significantly lower the risks associated with non-compliance with legal and regulatory standards.

      In the ever-evolving landscape of data protection and privacy, firms face increasing challenges in safeguarding personal data. While not all firms are legally mandated to appoint a DPO, the voluntary decision to appoint can yield numerous benefits and reinforce a commitment to responsible data management.

      Is the firm required by law to appoint a DPO?

      • Dubai International Financial Centre (“DIFC”) Data Protection Law No.5 of 2020 (“DPL”)

      The DIFC requires for a DPO to be appointed where firms are performing High-Risk Processing Activities (as per the DIFC DPL definition) on a systematic or regular basis. The DIFC has published guidance on High Risk Processing Activities and DPO Appointments which can be found via this link. The DIFC has also created helpful tools to assist firms with their decision-making, the High Risk Processing Assessment Tool can be found here and the DPO Assessment Tool can be found here.

      • Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“DPR”)

      The ADGM requires for a DPO to be appointed for firms whose core activities involve regular and systematic processing of personal data on a large scale, or if the firm is processing special categories of personal data on a large scale. The ADGM has produced useful guidance, for DPO appointments see section 5 of part 3 of the guidance here. To support you in making the decision, the ADGM has produced a DPO Requirement Assessment Tool, available here.

      • UAE Federal Decree-Law no.45 of 2021 on the Protection of Personal Data (“PDPL”)

      The UAE PDPL specifies that firms must appoint a DPO where they are involved in processing which is likely to result in a high risk to the privacy and confidentiality of personal data because of the adoption of new technologies or due to the volume of Data. A DPO must also be appointed for firms where the processing involves a systematic and comprehensive evaluation of sensitive personal data, including profiling and automated processing, or where the processing involves a large scale of sensitive personal data. Further guidance may be released in due course, along with the implementing Regulations.

      Who can perform the DPO role?

      Controllers and processors may choose to appoint someone internally within their firm or externally as an outsourced function, the appointed DPO can also be outside of the jurisdiction. Unlike the ADGM DPR and UAE PDPL, the DIFC DPL requires an outsourced DPO to reside in the UAE.

      Whichever option you choose, the appointed DPO must be suitably knowledgeable of the relevant Law and Regulations and easily accessible, to be able to perform the role. The individual appointed should not perform another role that conflicts or is likely to conflict with their obligations as the DPO.

      You must ensure that whoever you choose meets the competencies required by the supervisory authority and can undertake the role and tasks effectively..

      How does the firm benefit from appointing a DPO?

      The core responsibilities of a DPO are multifaceted. They act as a central point of contact for data subjects seeking information or exercising their rights, such as the right to access or erasure of personal data. Additionally, DPOs play a crucial role in raising awareness about data protection within the organisation. This involves conducting staff training, developing internal policies and procedures, and ensuring data processing activities comply with the Law and Regulations.

      Furthermore, DPOs are responsible for monitoring compliance with the DPL, conducting data protection impact assessments (DPIAs) for high-risk processing activities, and cooperating with the supervisory authority during investigations. They also play a vital role in incident response, ensuring the organisation addresses data breaches and other security incidents effectively.

      These officers act as data guardians, ensuring organisations operate with transparency and accountability when handling personal information.

      Let’s not overlook the fact that being able to communicate the presence of a DPO can set your organisation apart from competitors, especially in industries such as the one we are in, where privacy is a significant concern for consumers. There is also the reputational element which is of importance to well-regarded firms.

      Can the firm appoint a DPO voluntarily?

      If you have determined that you are not required to appoint a DPO, you can still choose to appoint a DPO voluntarily to evidence good governance and to ensure you have expert resources to monitor and ensure compliance with the law.

      If you choose not to appoint a DPO you will need to appoint an individual internally to act as the point of contact for the data protection Commissioner and ensure compliance with the law.

      It is important to know that enforcement action can be taken if you fail to appoint a DPO where required by Law, for example in the DIFC you can expect to be fined up to $50,000 for such a breach. The fines in the ADGM are undetermined, however, they cannot exceed $28,000,000.

      Why choose an outsourced DPO from Waystone Compliance Solutions?

      Our team of experienced DPOs offers specialist regional expertise, ensuring you stay compliant with the latest data protection regulations. We have support clients in the ADGM, DIFC, and the UAE onshore with their data protection requirements, including implementing complex, multi-jurisdictional data protection frameworks, advising on cross-border transfers, incorporating data protection principles, and drafting suitable documentation per the relevant data protection regulations and laws.

      We understand that for some firms an internal DPO may be the preferred choice, we offer a range of options to empower your team, including educating and training your in-house Data Protection Officer on the regulatory requirements or providing them with ongoing specialist support.

      If you have any questions or would like to sign-up to receive our communications, please contact Kate Brookstein, Head of Data Protection UAE directly or reach us via the below.

      Contact us

      Previous post Next post

      More like this

      Regulatory Compliance Updates May 2024 – ME Region

      This edition includes - ADGM Issues Dear SEO Letter, Amendments to Financial Markets Tribunal’s Rules of Procedure and ADGM Commissioner…
      Read more

      How Complaint Handling Can Benefit Your Firm

      Regulated firms can leverage complaint handling as a powerful tool. By addressing client concerns promptly and fairly, they not only…
      Read more

      Regulatory Update: Middle East Edition – April 2024

      This edition includes – DFSA issues Dear Seo Letter on Fixed Penalty Notice, FSRA Issues Dear Seo Letter, ADGM Wins…
      Read more

      Regulatory Update: Middle East Edition – March 2024

      This edition includes – DFSA issues Consultation Paper on DFSA Fees, ADGM Reflects on 2023 Successes, DFSA Issues SEO Letter…
      Read more

      Data protection regimes: KSA, ADGM, DIFC and onshore UAE – a comparison

      A key consideration for United Arab Emirates (“UAE”) firms with a presence in the Kingdom of Saudi Arabia (“KSA”), is…
      Read more

      Regulatory Update: Middle East Edition – February 2024

      This edition includes – DIFC Celebrates 20th Anniversary with Finance Events, ADGM Fines 6 Firms for Breaching CRS Regulations, DFSA…
      Read more