Outsourced Data Protection Officer

Does your firm need to appoint a Data Protection Officer (“DPO”) or Data Protection Contact?

The data protection frameworks in the UAE continue to evolve at a rapid pace, contributing to the confidence and ease of firms and investors doing business in the UAE. The requirement for firms to appoint a Data Protection Officer (“DPO”) or data protection contact is a key feature of all data protection laws and regulations in the UAE.  Firms may be required by the law or regulation to appoint a DPO where they are conducting high-risk processing or high volumes of processing, especially where they rely on technology to process personal data or handle more sensitive personal data. Other firms have opted to appoint a DPO to instill trust with their customers and follow global best practices.

What are the options for appointing a DPO?

Your DPO can be a person within your local entity, your group DPO – even if they are not based in the UAE – or you can outsource the function. If you chose to outsource your DPO and you are based within the DIFC, your outsource resource must be based within the UAE. Whichever option you choose, the appointed DPO must be suitably knowledgeable and easily accessible in order to perform the role.

Why should you outsource your DPO to Waystone?

Firms are liable for extensive fines and reputation damage by failing to understand the intricacies of the relevant data protection rules, many of which have extra-territorial scope.

We have helped firms in the UAE and the UK to implement new data protection regulations and ensure their ongoing compliance. Our experienced consultants are equipped to guide you through the details of the data protection regulations and laws that apply to your firm, as well as the specific changes you will need to implement within your firm to ensure that you are compliant.

What is the scope of an outsourced Data Protection Officer?

As your DPO, your consultant will be responsible for monitoring your firm’s compliance with the data protection or privacy-related laws or regulations which apply to your firm, including the DIFC Data Protection Law 2020 (“DPL”) and the ADGM Data Protection Regulations 2021 (“DPR”), specifically:

• updating any policies relating to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
• informing and advising the firm and its employees who carry out processing of the obligations pursuant to the relevant data protection rules, including where the organisation is subject to overseas provisions with extra-territorial effect
• advising on the compliant resolution of data subject requests
• advising on the requirement for a data protection impact assessment including the completion or renewal of such assessments
• being the primary contact to the Commissioner or Data Protection Officer
• completing/advising on the completion of the annual Data Processing Assessment (applies to DIFC firms only)
• verifying the quality and validity of applicable procedures of the Controller and the related Processors
• receiving and acting upon any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions issued or made by the relevant Data Protection Officer or their representative Commissioners.

Contact us below to find out how our teams in the UAE are best placed to support your firm.