DIFC Data Protection Law
The DIFC Data Protection Law (“DPL”) is an internationally recognised privacy law requiring organisations to have a comprehensive data protection framework.
The objective of the DPL is to protect personal data, whilst allowing individuals to exercise their rights over their data. The requirements are extensive and the balance between the individual’s rights and the businesses needs can often be complex. The DPL requires the principles of data protection to be built into the fabric of the organisation, therefore maintaining compliance on an ongoing basis.
Failure to act or implement suitable measures may be punishable by the DIFC Data Protection Commissioner with fines of up to $100,000 per breach.
The DIFC Data Protection Commissioner also reserves the right to impose an additional unspecified fine for severe failures.
Data Protection Officer (“DPO”) or Data Protection Contact
All organisations are required to register an individual as a contact with the DIFC Data Protection Commissioner and some may be required, under the legislation, to formally appoint a DPO to ensure compliance with its legal responsibilities.
Data Processing Map
One of the key requirements of the DPL is to create a suitable data processing map, also known as a Record of Processing Activity (“ROPA”). All organisations are expected to consider the nature of the data collected, how it is processed, where it is held, as well as whether it has been transferred to a jurisdiction outside of the DIFC. This document will work as an inventory of data held by the firm as well as a processing flow map, the latter being an invaluable tool should you receive a request from an individual to exercise their extensive rights. Without a data processing map, organisations may find it difficult to comply with the DPL .
Our team of consultants can provide you with support in the following ways:
Implementation Project – 20 hours
We can conduct a health check of your data protection operations and a create a bespoke project plan with the option to assist with remediation work.
We will assess your current framework against the DPL requirements and provide you with a comprehensive report. Once the report is complete, we will create a tailored implementation project plan that will focus on key policy and procedure requirements as well as considerations for each of the business functions including IT, legal, compliance and training. We will offer advice on best practice and will be available to answer any questions that you may have during your implementation. If you require further assistance following this process, we can provide remediation support on a project or hourly rate basis.
Providing ongoing support: Outsourced Data Protection Officer – monthly retainer
On completion of the project plan or following your internal implementation of the DPL, you can engage our experienced consultants to act as your Data Protection Officer on an outsourced basis and be registered with the DIFC Data Protection Commissioner. You will be allocated up to 8 hours of support per month, with any hours provided above this charged at our standard hourly rate. Your consultant will oversee your processing activities, ensuring compliance with the DPL, as well as conducting biannual health checks including policy updates, where required. Your consultant can provide advice and support with Data Subject Access Requests where they occur.
If you suspect that there may be a gap in your data protection framework, it is important to act immediately. If you require guidance or support with implementing the DIFC Data Protection Law, please contact us.
DIFC DPR – is your firm prepared?
Understanding the DIFC’s Data Protection Regulations 2021.
DIFC Data Protection Law checklist
High-level checklist to implement the DIFC Data Protection Law (“DPL”).
UAE Data Protection Comparison
Our comparison document helps to simplify each UAE Regime & provides a comparison to assist in developing a suitable personal data protection framework.