The ADGM Data Protection Regulations Amendment 2022 – What you need to know
The core changes include:
- updating references from the data protection commissioner to the data protection office
- the repeal of Article 24, which excluded firms of less than five employees who do not conduct “high-risk processing” from registering with the data protection office and paying the annual data protection fee
- the repeal of Article 35, which excluded the obligation for a Data Protection Officer (“DPO”) where the firm is not considered a “high-risk processor” and is under five employees.
The Amendment could substantially affect smaller firms, branches, and subsidiary’s obligations.
What do I need to do now?
Check that you are registered with the Data Protection Office
Firms under five employees who have not registered with the Data Protection Office will now be obligated to register their processing intentions using a data protection notification and renew the firm’s intentions annually. The firm must keep its notification up to date using the ADGM portal and pay an annual personal data processing fee.
Appoint a DPO if required
Firms that are under five employees, irrelevant of whether they are acting on their authority as a controller of personal data or if they are instructed to process personal data, must appoint a DPO if they:
- process data as a public authority
- have core activities that, by virtue of their nature, scope and purposes, require regular and systematic monitoring of individuals on a large scale
- have core activities that consist of processing on a large scale of Special Categories of Data.
Special Categories of Personal Data are defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data to identify a natural person uniquely, data concerning health, or data concerning a natural person’s sex life or sexual orientation, or personal data relating to criminal convictions and offenses or related security measures.
Update your data protection policy
The right to erasure restriction provided by Article 15(3)(a)(i) has been amended, which will need to be reflected in your data protection policy. The article now provides for a legal exemption to comply with an erasure request where the requested information is necessary for the Controller to comply with their legal obligations for the performance of a task carried out by a public authority in the interests of the ADGM Board, restricting the exclusion from the previous revision which read as any interest of the ADGM.
Should I be concerned?
The Amendments have been released to modify the data privacy practices in the ADGM to align with international best practices. Breaches for failing to comply with the Regulations are capped at US$28M, and firms may be subject to random compliance inspections.
What can we do to help?
Waystone Compliance Solutions has assisted with over 100 firms’ compliance with various UAE data protection laws and can provide guidance, implementation support and experienced outsourced data protection officers to help you meet your compliance obligations. We can also support your global data protection needs by giving you the assistance required to navigate the global data protection landscape with confidence.